[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Sep 2021 13:27:04 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Eric Snowberg <eric.snowberg@...cle.com>, keyrings@...r.kernel.org,
linux-integrity@...r.kernel.org, dhowells@...hat.com,
dwmw2@...radead.org, herbert@...dor.apana.org.au,
davem@...emloft.net, jarkko@...nel.org, jmorris@...ei.org,
serge@...lyn.com
Cc: keescook@...omium.org, gregkh@...uxfoundation.org,
torvalds@...ux-foundation.org, scott.branden@...adcom.com,
weiyongjun1@...wei.com, nayna@...ux.ibm.com, ebiggers@...gle.com,
ardb@...nel.org, nramas@...ux.microsoft.com, lszubowi@...hat.com,
linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org,
James.Bottomley@...senPartnership.com, pjones@...hat.com,
konrad.wilk@...cle.com
Subject: Re: [PATCH v5 08/12] KEYS: integrity: change link restriction to
trust the machine keyring
Hi Eric,
On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote:
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 955bd57815f4..747f0c528fec 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -89,7 +89,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
> if (!restriction)
> panic("Can't allocate secondary trusted keyring restriction\n");
>
> - restriction->check = restrict_link_by_builtin_and_secondary_trusted;
> + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
> + restriction->check = restrict_link_by_builtin_secondary_and_ca_trusted;
Returning the new restriction in a function named
get_builtin_and_secondary_restriction() is kind of weird. Renaming the
function to get_secondary_restriction() would be clearer.
thanks,
Mimi
Powered by blists - more mailing lists