summaryrefslogtreecommitdiff
path: root/security/integrity/digsig.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2016-04-07 09:45:23 +0100
committerDavid Howells <dhowells@redhat.com>2016-04-11 22:49:15 +0100
commit56104cf2b8d20eed32c14eac8ac574c35377ab38 (patch)
tree7fc12f22e49f9b799c998245f226906db293255e /security/integrity/digsig.c
parentd3bfe84129f65e0af2450743ebdab33d161d01c9 (diff)
IMA: Use the the system trusted keyrings instead of .ima_mok
Add a config option (IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) that, when enabled, allows keys to be added to the IMA keyrings by userspace - with the restriction that each must be signed by a key in the system trusted keyrings. EPERM will be returned if this option is disabled, ENOKEY will be returned if no authoritative key can be found and EKEYREJECTED will be returned if the signature doesn't match. Other errors such as ENOPKG may also be returned. If this new option is enabled, the builtin system keyring is searched, as is the secondary system keyring if that is also enabled. Intermediate keys between the builtin system keyring and the key being added can be added to the secondary keyring (which replaces .ima_mok) to form a trust chain - provided they are also validly signed by a key in one of the trusted keyrings. The .ima_mok keyring is then removed and the IMA blacklist keyring gets its own config option (IMA_BLACKLIST_KEYRING). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/digsig.c')
-rw-r--r--security/integrity/digsig.c30
1 files changed, 4 insertions, 26 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 98ee4c752cf5..4304372b323f 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -42,32 +42,10 @@ static bool init_keyring __initdata = true;
static bool init_keyring __initdata;
#endif
-#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
-/*
- * Restrict the addition of keys into the IMA keyring.
- *
- * Any key that needs to go in .ima keyring must be signed by CA in
- * either .system or .ima_mok keyrings.
- */
-static int restrict_link_by_ima_mok(struct key *keyring,
- const struct key_type *type,
- const union key_payload *payload)
-{
- int ret;
-
- ret = restrict_link_by_builtin_trusted(keyring, type, payload);
- if (ret != -ENOKEY)
- return ret;
-
- return restrict_link_by_signature(get_ima_mok_keyring(),
- type, payload);
-}
+#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
+#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
#else
-/*
- * If there's no system trusted keyring, then keys cannot be loaded into
- * .ima_mok and added keys cannot be marked trusted.
- */
-#define restrict_link_by_ima_mok restrict_link_reject
+#define restrict_link_to_ima restrict_link_by_builtin_trusted
#endif
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
@@ -114,7 +92,7 @@ int __init integrity_init_keyring(const unsigned int id)
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link_by_ima_mok, NULL);
+ restrict_link_to_ima, NULL);
if (IS_ERR(keyring[id])) {
err = PTR_ERR(keyring[id]);
pr_info("Can't allocate %s keyring (%d)\n",