[RFC PATCH 20/20] IMA: Replace the .ima_mok keyring with the secondary system keyring [ver #2]
From: David Howells
Date: Tue Jan 19 2016 - 06:33:18 EST
Use the secondary system keyring instead of the .ima_mok keyring and remove
the latter.
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
---
include/keys/system_keyring.h | 15 -------------
security/integrity/digsig.c | 28 ++----------------------
security/integrity/ima/Kconfig | 18 ----------------
security/integrity/ima/Makefile | 1 -
security/integrity/ima/ima_mok.c | 44 --------------------------------------
5 files changed, 2 insertions(+), 104 deletions(-)
delete mode 100644 security/integrity/ima/ima_mok.c
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index b261362c8b2d..622c1760ecc9 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -45,19 +45,4 @@ static inline int is_key_blacklisted(const char *name)
}
#endif
-#ifdef CONFIG_IMA_MOK_KEYRING
-extern struct key *ima_mok_keyring;
-
-static inline struct key *get_ima_mok_keyring(void)
-{
- return ima_mok_keyring;
-}
-#else
-static inline struct key *get_ima_mok_keyring(void)
-{
- return NULL;
-}
-#endif /* CONFIG_IMA_MOK_KEYRING */
-
-
#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 464d25e698ec..70fa199731f1 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -42,25 +42,6 @@ static bool init_keyring __initdata = true;
static bool init_keyring __initdata;
#endif
-/*
- * Restrict the addition of keys into the IMA keyring.
- *
- * Any key that needs to go in .ima keyring must be signed by CA in
- * either .system or .ima_mok keyrings.
- */
-static int restrict_link_by_ima_mok(struct key *keyring,
- const struct key_type *type,
- const union key_payload *payload)
-{
- int ret;
-
- ret = restrict_link_by_system_trusted(keyring, type, payload);
- if (ret != -ENOKEY)
- return ret;
-
- return public_key_restrict_link(get_ima_mok_keyring(), type, payload);
-}
-
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen)
{
@@ -93,25 +74,20 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
int __init integrity_init_keyring(const unsigned int id)
{
- int (*restrict_link)(struct key *,
- const struct key_type *,
- const union key_payload *) = NULL;
const struct cred *cred = current_cred();
int err = 0;
if (!init_keyring)
return 0;
- if (id == 1)
- restrict_link = restrict_link_by_ima_mok;
-
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
KGIDT_INIT(0), cred,
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link, NULL);
+ restrict_link_by_system_trusted,
+ NULL);
if (IS_ERR(keyring[id])) {
err = PTR_ERR(keyring[id]);
pr_info("Can't allocate %s keyring (%d)\n",
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index e54a8a8dae94..5466cfe0305f 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -155,24 +155,6 @@ config IMA_TRUSTED_KEYRING
This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
-config IMA_MOK_KEYRING
- bool "Create IMA machine owner keys (MOK) and blacklist keyrings"
- depends on SYSTEM_TRUSTED_KEYRING
- depends on IMA_TRUSTED_KEYRING
- default n
- help
- This option creates IMA MOK and blacklist keyrings. IMA MOK is an
- intermediate keyring that sits between .system and .ima keyrings,
- effectively forming a simple CA hierarchy. To successfully import a
- key into .ima_mok it must be signed by a key which CA is in .system
- keyring. On turn any key that needs to go in .ima keyring must be
- signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty
- at kernel boot.
-
- IMA blacklist keyring contains all revoked IMA keys. It is consulted
- before any other keyring. If the search is successful the requested
- operation is rejected and error is returned to the caller.
-
config IMA_LOAD_X509
bool "Load X509 certificate onto the '.ima' trusted keyring"
depends on IMA_TRUSTED_KEYRING
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index a8539f9e060f..d79263d2fdbf 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -8,4 +8,3 @@ obj-$(CONFIG_IMA) += ima.o
ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
ima_policy.o ima_template.o ima_template_lib.o
ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
-obj-$(CONFIG_IMA_MOK_KEYRING) += ima_mok.o
diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c
deleted file mode 100644
index 6b34770a6c9f..000000000000
--- a/security/integrity/ima/ima_mok.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2015 Juniper Networks, Inc.
- *
- * Author:
- * Petko Manolov <petko.manolov@xxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- */
-
-#include <linux/export.h>
-#include <linux/kernel.h>
-#include <linux/sched.h>
-#include <linux/cred.h>
-#include <linux/err.h>
-#include <linux/init.h>
-#include <keys/system_keyring.h>
-
-
-struct key *ima_mok_keyring;
-
-/*
- * Allocate the IMA MOK and blacklist keyrings
- */
-__init int ima_mok_init(void)
-{
- pr_notice("Allocating IMA MOK and blacklist keyrings.\n");
-
- ima_mok_keyring = keyring_alloc(".ima_mok",
- KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
- (KEY_POS_ALL & ~KEY_POS_SETATTR) |
- KEY_USR_VIEW | KEY_USR_READ |
- KEY_USR_WRITE | KEY_USR_SEARCH,
- KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link_by_system_trusted, NULL);
-
- if (IS_ERR(ima_mok_keyring))
- panic("Can't allocate IMA MOK keyring.");
- return 0;
-}
-device_initcall(ima_mok_init);