tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Revert "ima: define '_ima' as a builtin 'trusted' keyring"

This reverts commit 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241, which
caused the following build error:

security/integrity/digsig.c:70:5: error: redefinition of ‘integrity_init_keyring’
security/integrity/integrity.h:149:12: note: previous definition of ‘integrity_init_keyring’ w
security/integrity/integrity.h:149:12: warning: ‘integrity_init_keyring’ defined but not used

reported by Krzysztof Kolasa. Mimi says:

"I made the classic mistake of requesting this patch to be upstreamed
at the last second, rather than waiting until the next open window.

At this point, the best course would probably be to revert the two
commits and fix them for the next open window"

Reported-by: Krzysztof Kolasa <kkolasa@winsoft.pl>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 34ef7bd3 26b265cd

+1 -55
+1 -29
security/integrity/digsig.c
··· 13 13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 14 14 15 15 #include <linux/err.h> 16 - #include <linux/sched.h> 17 16 #include <linux/rbtree.h> 18 - #include <linux/cred.h> 19 17 #include <linux/key-type.h> 20 18 #include <linux/digsig.h> 21 19 ··· 21 23 22 24 static struct key *keyring[INTEGRITY_KEYRING_MAX]; 23 25 24 - #ifdef CONFIG_IMA_TRUSTED_KEYRING 25 - static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { 26 - ".evm", 27 - ".module", 28 - ".ima", 29 - }; 30 - #else 31 26 static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { 32 27 "_evm", 33 28 "_module", 34 29 "_ima", 35 30 }; 36 - #endif 37 31 38 32 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 39 33 const char *digest, int digestlen) ··· 35 45 36 46 if (!keyring[id]) { 37 47 keyring[id] = 38 - request_key(&key_type_keyring, keyring_name[id], NULL); 48 + request_key(&key_type_keyring, keyring_name[id], NULL); 39 49 if (IS_ERR(keyring[id])) { 40 50 int err = PTR_ERR(keyring[id]); 41 51 pr_err("no %s keyring: %d\n", keyring_name[id], err); ··· 55 65 } 56 66 57 67 return -EOPNOTSUPP; 58 - } 59 - 60 - int integrity_init_keyring(const unsigned int id) 61 - { 62 - const struct cred *cred = current_cred(); 63 - const struct user_struct *user = cred->user; 64 - 65 - keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), 66 - KGIDT_INIT(0), cred, 67 - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 68 - KEY_USR_VIEW | KEY_USR_READ), 69 - KEY_ALLOC_NOT_IN_QUOTA, user->uid_keyring); 70 - if (!IS_ERR(keyring[id])) 71 - set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags); 72 - else 73 - pr_info("Can't allocate %s keyring (%ld)\n", 74 - keyring_name[id], PTR_ERR(keyring[id])); 75 - return 0; 76 68 }
-8
security/integrity/ima/Kconfig
··· 123 123 For more information on integrity appraisal refer to: 124 124 <http://linux-ima.sourceforge.net> 125 125 If unsure, say N. 126 - 127 - config IMA_TRUSTED_KEYRING 128 - bool "Require all keys on the _ima keyring be signed" 129 - depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING 130 - default y 131 - help 132 - This option requires that all keys added to the _ima 133 - keyring be signed by a key on the system trusted keyring.
-11
security/integrity/ima/ima_appraise.c
··· 381 381 } 382 382 return result; 383 383 } 384 - 385 - #ifdef CONFIG_IMA_TRUSTED_KEYRING 386 - static int __init init_ima_keyring(void) 387 - { 388 - int ret; 389 - 390 - ret = integrity_init_keyring(INTEGRITY_KEYRING_IMA); 391 - return 0; 392 - } 393 - late_initcall(init_ima_keyring); 394 - #endif
-7
security/integrity/integrity.h
··· 137 137 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS 138 138 int asymmetric_verify(struct key *keyring, const char *sig, 139 139 int siglen, const char *data, int datalen); 140 - 141 - int integrity_init_keyring(const unsigned int id); 142 140 #else 143 141 static inline int asymmetric_verify(struct key *keyring, const char *sig, 144 142 int siglen, const char *data, int datalen) 145 143 { 146 144 return -EOPNOTSUPP; 147 - } 148 - 149 - static int integrity_init_keyring(const unsigned int id) 150 - { 151 - return 0; 152 145 } 153 146 #endif 154 147