ima: define '.ima' as a builtin 'trusted' keyring (7d2ce232) · Commits · 戴 / test

security/integrity/digsig.c

+28 −0

Original line number	Diff line number	Diff line
		@@ -13,7 +13,9 @@
		#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

		#include <linux/err.h>
		#include <linux/sched.h>
		#include <linux/rbtree.h>
		#include <linux/cred.h>
		#include <linux/key-type.h>
		#include <linux/digsig.h>

		@@ -24,7 +26,11 @@ static struct key *keyring[INTEGRITY_KEYRING_MAX];
		static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
		"_evm",
		"_module",
		#ifndef CONFIG_IMA_TRUSTED_KEYRING
		"_ima",
		#else
		".ima",
		#endif
		};

		int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
		@@ -56,3 +62,25 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,

		return -EOPNOTSUPP;
		}

		int integrity_init_keyring(const unsigned int id)
		{
		const struct cred *cred = current_cred();
		int err = 0;

		keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
		KGIDT_INIT(0), cred,
		((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
		KEY_USR_VIEW \| KEY_USR_READ \|
		KEY_USR_WRITE \| KEY_USR_SEARCH),
		KEY_ALLOC_NOT_IN_QUOTA, NULL);
		if (!IS_ERR(keyring[id]))
		set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
		else {
		err = PTR_ERR(keyring[id]);
		pr_info("Can't allocate %s keyring (%d)\n",
		keyring_name[id], err);
		keyring[id] = NULL;
		}
		return err;
		}

+10 −0

Original line number	Diff line number	Diff line
		@@ -123,3 +123,13 @@ config IMA_APPRAISE
		For more information on integrity appraisal refer to:
		<http://linux-ima.sourceforge.net>
		If unsure, say N.

		config IMA_TRUSTED_KEYRING
		bool "Require all keys on the .ima keyring be signed"
		depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
		depends on INTEGRITY_ASYMMETRIC_KEYS
		select KEYS_DEBUG_PROC_KEYS
		default y
		help
		This option requires that all keys added to the .ima
		keyring be signed by a key on the system trusted keyring.

+12 −0

Original line number	Diff line number	Diff line
		@@ -249,4 +249,16 @@ static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
		return -EINVAL;
		}
		#endif /* CONFIG_IMA_LSM_RULES */

		#ifdef CONFIG_IMA_TRUSTED_KEYRING
		static inline int ima_init_keyring(const unsigned int id)
		{
		return integrity_init_keyring(id);
		}
		#else
		static inline int ima_init_keyring(const unsigned int id)
		{
		return 0;
		}
		#endif /* CONFIG_IMA_TRUSTED_KEYRING */
		#endif

+8 −2

Original line number	Diff line number	Diff line
		@@ -325,8 +325,14 @@ static int __init init_ima(void)

		hash_setup(CONFIG_IMA_DEFAULT_HASH);
		error = ima_init();
		if (!error)
		if (error)
		goto out;

		error = ima_init_keyring(INTEGRITY_KEYRING_IMA);
		if (error)
		goto out;
		ima_initialized = 1;
		out:
		return error;
		}

+5 −0

Original line number	Diff line number	Diff line
		@@ -124,6 +124,7 @@ struct integrity_iint_cache integrity_iint_find(struct inode inode);
		int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
		const char *digest, int digestlen);

		int integrity_init_keyring(const unsigned int id);
		#else

		static inline int integrity_digsig_verify(const unsigned int id,
		@@ -133,6 +134,10 @@ static inline int integrity_digsig_verify(const unsigned int id,
		return -EOPNOTSUPP;
		}

		static inline int integrity_init_keyring(const unsigned int id)
		{
		return 0;
		}
		#endif /* CONFIG_INTEGRITY_SIGNATURE */

		#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS