lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1564622625-112173-1-git-send-email-zhang.jia@linux.alibaba.com>
Date:   Thu,  1 Aug 2019 09:23:45 +0800
From:   Jia Zhang <zhang.jia@...ux.alibaba.com>
To:     dhowells@...hat.com, zohar@...ux.ibm.com, dmitry.kasatkin@...il.com
Cc:     keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
        zhang.jia@...ux.alibaba.com
Subject: [PATCH] ima: Allow to import the blacklisted cert signed by secondary CA cert

Similar to .ima, the cert imported to .ima_blacklist is able to be
authenticated by a secondary CA cert.

Signed-off-by: Jia Zhang <zhang.jia@...ux.alibaba.com>
---
 include/keys/system_keyring.h    | 6 ++++++
 security/integrity/digsig.c      | 6 ------
 security/integrity/ima/ima_mok.c | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index c1a96fd..7dc91db 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -31,6 +31,12 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
 #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
 #endif
 
+#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
+#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
+#else
+#define restrict_link_to_ima restrict_link_by_builtin_trusted
+#endif
+
 #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 extern int mark_hash_blacklisted(const char *hash);
 extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 868ade3..c6f3384 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -33,12 +33,6 @@
 	".platform",
 };
 
-#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
-#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
-#else
-#define restrict_link_to_ima restrict_link_by_builtin_trusted
-#endif
-
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 			    const char *digest, int digestlen)
 {
diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c
index 36cadad..6d0b12d 100644
--- a/security/integrity/ima/ima_mok.c
+++ b/security/integrity/ima/ima_mok.c
@@ -31,7 +31,7 @@ __init int ima_mok_init(void)
 	if (!restriction)
 		panic("Can't allocate IMA blacklist restriction.");
 
-	restriction->check = restrict_link_by_builtin_trusted;
+	restriction->check = restrict_link_to_ima;
 
 	ima_blacklist_keyring = keyring_alloc(".ima_blacklist",
 				KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ