Similar to .ima, the cert imported to .ima_blacklist is able to be authenticated by a secondary CA cert. Signed-off-by: Jia Zhang <zhang.jia@xxxxxxxxxxxxxxxxx> --- include/keys/system_keyring.h | 6 ++++++ security/integrity/digsig.c | 6 ------ security/integrity/ima/ima_mok.c | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index c1a96fd..7dc91db 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -31,6 +31,12 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY +#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#else +#define restrict_link_to_ima restrict_link_by_builtin_trusted +#endif + #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 868ade3..c6f3384 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -33,12 +33,6 @@ ".platform", }; -#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted -#else -#define restrict_link_to_ima restrict_link_by_builtin_trusted -#endif - int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen) { diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c index 36cadad..6d0b12d 100644 --- a/security/integrity/ima/ima_mok.c +++ b/security/integrity/ima/ima_mok.c @@ -31,7 +31,7 @@ __init int ima_mok_init(void) if (!restriction) panic("Can't allocate IMA blacklist restriction."); - restriction->check = restrict_link_by_builtin_trusted; + restriction->check = restrict_link_to_ima; ima_blacklist_keyring = keyring_alloc(".ima_blacklist", KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), -- 1.8.3.1