Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6735284ybi; Wed, 31 Jul 2019 20:32:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqyy0mFsI3Gsper2qZkB27XbUEe5B05rfEdqBY/yPbj/9VN2tM4WpfavpSQxTSYv1Zj5T+ZM X-Received: by 2002:a63:1d2:: with SMTP id 201mr83154589pgb.307.1564630379101; Wed, 31 Jul 2019 20:32:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564630379; cv=none; d=google.com; s=arc-20160816; b=klHe5LyocTH11IG6IkKcx9xnrd53949HBgP6lSLarE7JgEY9j85htzACjUvRGVxJCg xwJ1h48nbdF9QCfXG2s7dcDVcImhUpqlSos6cTQneDSs00EpG+rfEF2OSsHRV9MIzX/z sYnsO89NWHJnFwLfHdky32GrBKD9QYCTEJgRg1b391z4nfNXzNS4qeQkJ22Zy0bos4IO Oq7rQSGvzoeUDQ+tVLOvhjF74XamAzMDr3pI6jZleoK5vuobT/aEReRRkDclMw0APKYw h+Fq7f2kL6C3xf58Sl04aVVjk2k/vI8pZ3fHKdFvuYUMU5KzH/137IQ7yIMysvDeE3VN TWIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=+KfWIod5kTJROOl8uNnkfMdtA8WPV4s5XNDnTIpeIjg=; b=jCjKhXm/rzsrUWKUxyWlN7JlycI7CLKrLNAJdYhs8Hb3+Vr62a4cmjwe+Hnjk2X/ij Ml/bVCsLgLapozaemBSE1Xqq5i7Pe4Qz1xPeUaWt3+iK2pDmfyNulXvz8dEx3IuSVDmd zL/4OZcb8Zl9AFvDk1hWefE0anJ48rj1nZydQ8IXNpgy2TKAAZffHS4PV0u6Za8qG42H vTIHYxYWjQwvzMESgGNX7tUr5z5gN8LRnT4yTUNF1jvQcOuDA7AJe3vVtW0zLQINGPJ/ LLrvizF0veir3XW0kiVOOOPeDRKSrnQ7+GNCXfs00+wXCmosn+vWs7gjYJIU2lwE0Bsn aIXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cj14si33171582plb.141.2019.07.31.20.32.43; Wed, 31 Jul 2019 20:32:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729772AbfHABXy (ORCPT + 99 others); Wed, 31 Jul 2019 21:23:54 -0400 Received: from out30-131.freemail.mail.aliyun.com ([115.124.30.131]:57875 "EHLO out30-131.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726595AbfHABXy (ORCPT ); Wed, 31 Jul 2019 21:23:54 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R141e4;CH=green;DM=||false|;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04394;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=8;SR=0;TI=SMTPD_---0TYHlArn_1564622625; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:SMTPD_---0TYHlArn_1564622625) by smtp.aliyun-inc.com(127.0.0.1); Thu, 01 Aug 2019 09:23:52 +0800 From: Jia Zhang To: dhowells@redhat.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, zhang.jia@linux.alibaba.com Subject: [PATCH] ima: Allow to import the blacklisted cert signed by secondary CA cert Date: Thu, 1 Aug 2019 09:23:45 +0800 Message-Id: <1564622625-112173-1-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Similar to .ima, the cert imported to .ima_blacklist is able to be authenticated by a secondary CA cert. Signed-off-by: Jia Zhang --- include/keys/system_keyring.h | 6 ++++++ security/integrity/digsig.c | 6 ------ security/integrity/ima/ima_mok.c | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index c1a96fd..7dc91db 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -31,6 +31,12 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY +#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#else +#define restrict_link_to_ima restrict_link_by_builtin_trusted +#endif + #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 868ade3..c6f3384 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -33,12 +33,6 @@ ".platform", }; -#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted -#else -#define restrict_link_to_ima restrict_link_by_builtin_trusted -#endif - int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen) { diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c index 36cadad..6d0b12d 100644 --- a/security/integrity/ima/ima_mok.c +++ b/security/integrity/ima/ima_mok.c @@ -31,7 +31,7 @@ __init int ima_mok_init(void) if (!restriction) panic("Can't allocate IMA blacklist restriction."); - restriction->check = restrict_link_by_builtin_trusted; + restriction->check = restrict_link_to_ima; ima_blacklist_keyring = keyring_alloc(".ima_blacklist", KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), -- 1.8.3.1