On 21/03/2022 19:23, Paul Moore wrote:
> On Mon, Mar 21, 2022 at 1:45 PM Mickaël Salaün <[email protected]> wrote:
>>
>> From: Mickaël Salaün <[email protected]>
>>
>> The blacklist_init() function calls panic() for memory allocation
>> errors. This change documents the reason why we don't return -ENODEV.
>>
>> Suggested-by: Paul Moore <[email protected]> [1]
>> Requested-by: Jarkko Sakkinen <[email protected]> [1]
>> Link: https://lore.kernel.org/r/[email protected] [1]
>> Signed-off-by: Mickaël Salaün <[email protected]>
>> Link: https://lore.kernel.org/r/[email protected]
>> ---
>> certs/blacklist.c | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>
> I would suggest changing the second sentence as shown below, but
> otherwise it looks good to me.
>
> Reviewed-by: Paul Moore <[email protected]>
>
>> diff --git a/certs/blacklist.c b/certs/blacklist.c
>> index 486ce0dd8e9c..ac26bcf9b9a5 100644
>> --- a/certs/blacklist.c
>> +++ b/certs/blacklist.c
>> @@ -307,6 +307,14 @@ static int restrict_link_for_blacklist(struct key *dest_keyring,
>>
>> /*
>> * Initialise the blacklist
>> + *
>> + * The blacklist_init() function is registered as an initcall via
>> + * device_initcall(). As a result the functionality doesn't load and the
>
> "As a result if the blacklist_init() function fails for any reason the
> kernel continues to execute."
Thanks, I'll fix that.
>
>> + * kernel continues on executing. While cleanly returning -ENODEV could be
>> + * acceptable for some non-critical kernel parts, if the blacklist keyring
>> + * fails to load it defeats the certificate/key based deny list for signed
>> + * modules. If a critical piece of security functionality that users expect to
>> + * be present fails to initialize, panic()ing is likely the right thing to do.
>> */
>> static int __init blacklist_init(void)
>> {
>
> --
> paul-moore.com