On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: > Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to > restrict_link_by_ca. This will only allow CA keys into the machine > keyring. > > Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> > --- > v1: Initial version > v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok > keyring gets created even when it isn't enabled > v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca > v4: removed unnecessary restriction->check set > v5: Rename to machine keyring > --- > security/integrity/digsig.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index 5a75ac2c4dbe..2b75bbbd9e0e 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id) > goto out; > } > > - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) > + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && id != INTEGRITY_KEYRING_MACHINE) > return 0; > > restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); > if (!restriction) > return -ENOMEM; > > - restriction->check = restrict_link_to_ima; > + if (id == INTEGRITY_KEYRING_MACHINE) > + restriction->check = restrict_link_by_ca; > + else > + restriction->check = restrict_link_to_ima; > + > if (id != INTEGRITY_KEYRING_MACHINE) > perm |= KEY_USR_WRITE; > 03 and 04 look sane. As said, the patches seem to be already in nice shape. /Jarkko