[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Aug 2021 20:20:59 -0400
From: Eric Snowberg <eric.snowberg@...cle.com>
To: keyrings@...r.kernel.org, linux-integrity@...r.kernel.org,
zohar@...ux.ibm.com, dhowells@...hat.com, dwmw2@...radead.org,
herbert@...dor.apana.org.au, davem@...emloft.net,
jarkko@...nel.org, jmorris@...ei.org, serge@...lyn.com
Cc: eric.snowberg@...cle.com, keescook@...omium.org,
gregkh@...uxfoundation.org, torvalds@...ux-foundation.org,
scott.branden@...adcom.com, weiyongjun1@...wei.com,
nayna@...ux.ibm.com, ebiggers@...gle.com, ardb@...nel.org,
nramas@...ux.microsoft.com, lszubowi@...hat.com,
linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org,
James.Bottomley@...senPartnership.com, pjones@...hat.com,
konrad.wilk@...cle.com
Subject: [PATCH v4 02/12] integrity: Do not allow mok keyring updates following init
The mok keyring is setup during init. No additional keys should be allowed
to be added afterwards. Leave the permission as read only.
Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
v2: Initial version
v4: Unmodified from v2
---
security/integrity/digsig.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index e07334504ef1..5cad38e6f56a 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -140,7 +140,8 @@ int __init integrity_init_keyring(const unsigned int id)
return -ENOMEM;
restriction->check = restrict_link_to_ima;
- perm |= KEY_USR_WRITE;
+ if (id != INTEGRITY_KEYRING_MOK)
+ perm |= KEY_USR_WRITE;
out:
return __integrity_init_keyring(id, perm, restriction);
--
2.18.4
Powered by blists - more mailing lists