diff options
| author | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2016-09-11 04:34:46 -0300 |
|---|---|---|
| committer | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2016-09-11 04:34:46 -0300 |
| commit | 863981e96738983919de841ec669e157e6bdaeb0 (patch) | |
| tree | d6d89a12e7eb8017837c057935a2271290907f76 /security/integrity/digsig.c | |
| parent | 8dec7c70575785729a6a9e6719a955e9c545bcab (diff) | |
Linux-libre 4.7.1-gnupck-4.7.1-gnu
Diffstat (limited to 'security/integrity/digsig.c')
| -rw-r--r-- | security/integrity/digsig.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 8ef15118c..4304372b3 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -18,6 +18,8 @@ #include <linux/cred.h> #include <linux/key-type.h> #include <linux/digsig.h> +#include <crypto/public_key.h> +#include <keys/system_keyring.h> #include "integrity.h" @@ -40,6 +42,12 @@ static bool init_keyring __initdata = true; static bool init_keyring __initdata; #endif +#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY +#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#else +#define restrict_link_to_ima restrict_link_by_builtin_trusted +#endif + int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen) { @@ -83,10 +91,9 @@ int __init integrity_init_keyring(const unsigned int id) ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_WRITE | KEY_USR_SEARCH), - KEY_ALLOC_NOT_IN_QUOTA, NULL); - if (!IS_ERR(keyring[id])) - set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags); - else { + KEY_ALLOC_NOT_IN_QUOTA, + restrict_link_to_ima, NULL); + if (IS_ERR(keyring[id])) { err = PTR_ERR(keyring[id]); pr_info("Can't allocate %s keyring (%d)\n", keyring_name[id], err); |