[PATCH 2/3] integrity: Allow specifying flags in integrity_load_cert
From: Patrick Uiterwijk <hidden>
Date: 2021-02-25 20:36:22
Subsystem:
extended verification module (evm), integrity measurement architecture (ima), security subsystem, the rest · Maintainers:
Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds
Allows passing flags for key_create_or_update via integrity_load_cert. Signed-off-by: Patrick Uiterwijk <redacted> --- security/integrity/digsig.c | 11 ++++++----- security/integrity/integrity.h | 6 ++++-- security/integrity/platform_certs/platform_keyring.c | 2 +- 3 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 250fb0836156..93203c767b57 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c@@ -144,7 +144,7 @@ int __init integrity_init_keyring(const unsigned int id) } static int __init integrity_add_key(const unsigned int id, const void *data, - off_t size, key_perm_t perm) + off_t size, key_perm_t perm, unsigned long flags) { key_ref_t key; int rc = 0;
@@ -154,7 +154,7 @@ static int __init integrity_add_key(const unsigned int id, const void *data, key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric", NULL, data, size, perm, - KEY_ALLOC_NOT_IN_QUOTA); + flags | KEY_ALLOC_NOT_IN_QUOTA); if (IS_ERR(key)) { rc = PTR_ERR(key); pr_err("Problem loading X.509 certificate %d\n", rc);
@@ -186,18 +186,19 @@ int __init integrity_load_x509(const unsigned int id, const char *path) perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ; pr_info("Loading X.509 certificate: %s\n", path); - rc = integrity_add_key(id, (const void *)data, size, perm); + rc = integrity_add_key(id, (const void *)data, size, perm, 0); vfree(data); return rc; } int __init integrity_load_cert(const unsigned int id, const char *source, - const void *data, size_t len, key_perm_t perm) + const void *data, size_t len, key_perm_t perm, + unsigned long flags) { if (!data) return -EINVAL; pr_info("Loading X.509 certificate: %s\n", source); - return integrity_add_key(id, data, len, perm); + return integrity_add_key(id, data, len, perm, flags); }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11..1194ff71a1c1 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h@@ -166,7 +166,8 @@ int integrity_modsig_verify(unsigned int id, const struct modsig *modsig); int __init integrity_init_keyring(const unsigned int id); int __init integrity_load_x509(const unsigned int id, const char *path); int __init integrity_load_cert(const unsigned int id, const char *source, - const void *data, size_t len, key_perm_t perm); + const void *data, size_t len, key_perm_t perm, + unsigned long flags); #else static inline int integrity_digsig_verify(const unsigned int id,
@@ -190,7 +191,8 @@ static inline int integrity_init_keyring(const unsigned int id) static inline int __init integrity_load_cert(const unsigned int id, const char *source, const void *data, size_t len, - key_perm_t perm) + key_perm_t perm, + unsigned long flags) { return 0; }
diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c
index bcafd7387729..131462c826b5 100644
--- a/security/integrity/platform_certs/platform_keyring.c
+++ b/security/integrity/platform_certs/platform_keyring.c@@ -32,7 +32,7 @@ void __init add_to_platform_keyring(const char *source, const void *data, perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len, - perm); + perm, 0); if (rc) pr_info("Error adding keys to platform keyring %s\n", source); }
--
2.29.2