From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933662AbcDEUse (ORCPT ); Tue, 5 Apr 2016 16:48:34 -0400 Received: from e28smtp03.in.ibm.com ([125.16.236.3]:43013 "EHLO e28smtp03.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1760022AbcDEUsc (ORCPT ); Tue, 5 Apr 2016 16:48:32 -0400 X-IBM-Helo: d28relay02.in.ibm.com X-IBM-MailFrom: zohar@linux.vnet.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org;keyrings@vger.kernel.org;linux-security-module@vger.kernel.org Message-ID: <1459889302.3166.5.camel@linux.vnet.ibm.com> Subject: Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3] From: Mimi Zohar To: David Howells Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Date: Tue, 05 Apr 2016 16:48:22 -0400 In-Reply-To: <20160309111939.28811.7952.stgit@warthog.procyon.org.uk> References: <20160309111814.28811.95697.stgit@warthog.procyon.org.uk> <20160309111939.28811.7952.stgit@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable x-cbid: 16040520-0009-0000-0000-00000BD594EB Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2016-03-09 at 11:19 +0000, David Howells wrote: > -#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING > -/* > - * Restrict the addition of keys into the IMA keyring. > - * > - * Any key that needs to go in .ima keyring must be signed by CA in > - * either .system or .ima_mok keyrings. > - */ > -static int restrict_link_by_ima_mok(struct key *keyring, > - const struct key_type *type, > - const union key_payload *payload) > -{ > - int ret; > - > - ret = restrict_link_by_builtin_trusted(keyring, type, payload); > - if (ret != -ENOKEY) > - return ret; > - > - return restrict_link_by_signature(get_ima_mok_keyring(), > - type, payload); > -} > +#if defined(CONFIG_IMA_KEYRINGS_ADD_IF_SIGNED_BY_BUILTIN) > +#define restrict_link_to_ima restrict_link_by_builtin_trusted > +#elif defined(CONFIG_IMA_KEYRINGS_ADD_IF_SIGNED_BY_BUILTIN_OR_SECONDARY) > +#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted FYI, restrict_link_by_ima_mok() allows keys to be added to the IMA keyring signed by a key on the .ima_mok keyring, but restrict_link_by_builtin_and_secondary_trusted() results in "errno: Required key not available (126)". Mimi