Re: [PATCH 2/3] integrity: Allow specifying flags in integrity_load_cert

Stefan Berger <stefanb@xxxxxxxxxxxxx> · Fri, 26 Feb 2021 16:04:50 -0500

On 2/25/21 3:32 PM, Patrick Uiterwijk wrote:
Allows passing flags for key_create_or_update via
integrity_load_cert.

Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>


Reviewed-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>


---
  security/integrity/digsig.c                          | 11 ++++++-----
  security/integrity/integrity.h                       |  6 ++++--
  security/integrity/platform_certs/platform_keyring.c |  2 +-
  3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 250fb0836156..93203c767b57 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -144,7 +144,7 @@ int __init integrity_init_keyring(const unsigned int id)
  }
  
  static int __init integrity_add_key(const unsigned int id, const void *data,
-				    off_t size, key_perm_t perm)
+				    off_t size, key_perm_t perm, unsigned long flags)
  {
  	key_ref_t key;
  	int rc = 0;
@@ -154,7 +154,7 @@ static int __init integrity_add_key(const unsigned int id, const void *data,
  
  	key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
  				   NULL, data, size, perm,
-				   KEY_ALLOC_NOT_IN_QUOTA);
+				   flags | KEY_ALLOC_NOT_IN_QUOTA);
  	if (IS_ERR(key)) {
  		rc = PTR_ERR(key);
  		pr_err("Problem loading X.509 certificate %d\n", rc);
@@ -186,18 +186,19 @@ int __init integrity_load_x509(const unsigned int id, const char *path)
  	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ;
  
  	pr_info("Loading X.509 certificate: %s\n", path);
-	rc = integrity_add_key(id, (const void *)data, size, perm);
+	rc = integrity_add_key(id, (const void *)data, size, perm, 0);
  
  	vfree(data);
  	return rc;
  }
  
  int __init integrity_load_cert(const unsigned int id, const char *source,
-			       const void *data, size_t len, key_perm_t perm)
+			       const void *data, size_t len, key_perm_t perm,
+			       unsigned long flags)
  {
  	if (!data)
  		return -EINVAL;
  
  	pr_info("Loading X.509 certificate: %s\n", source);
-	return integrity_add_key(id, data, len, perm);
+	return integrity_add_key(id, data, len, perm, flags);
  }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11..1194ff71a1c1 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -166,7 +166,8 @@ int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
  int __init integrity_init_keyring(const unsigned int id);
  int __init integrity_load_x509(const unsigned int id, const char *path);
  int __init integrity_load_cert(const unsigned int id, const char *source,
-			       const void *data, size_t len, key_perm_t perm);
+			       const void *data, size_t len, key_perm_t perm,
+			       unsigned long flags);
  #else
  
  static inline int integrity_digsig_verify(const unsigned int id,
@@ -190,7 +191,8 @@ static inline int integrity_init_keyring(const unsigned int id)
  static inline int __init integrity_load_cert(const unsigned int id,
  					     const char *source,
  					     const void *data, size_t len,
-					     key_perm_t perm)
+					     key_perm_t perm,
+					     unsigned long flags)
  {
  	return 0;
  }
diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c
index bcafd7387729..131462c826b5 100644
--- a/security/integrity/platform_certs/platform_keyring.c
+++ b/security/integrity/platform_certs/platform_keyring.c
@@ -32,7 +32,7 @@ void __init add_to_platform_keyring(const char *source, const void *data,
  	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
  
  	rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len,
-				 perm);
+				 perm, 0);
  	if (rc)
  		pr_info("Error adding keys to platform keyring %s\n", source);
  }








