Re: [PATCH v7 6/8] certs: add wrapper function to check blacklisted binary hash

From: Mimi Zohar
Date: Fri Oct 11 2019 - 09:18:33 EST


On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
> The existing is_hash_blacklisted() function returns -EKEYREJECTED
> error code for both the blacklisted keys and binaries.
>
> This patch adds a wrapper function is_binary_blacklisted() to check
> against binary hashes and returns -EPERM. ÂÂ
>
> Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx>

This patch description describes what you're doing, not the
motivation.

Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>

> ---
> certs/blacklist.c | 9 +++++++++
> include/keys/system_keyring.h | 6 ++++++
> 2 files changed, 15 insertions(+)
>
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index ec00bf337eb6..6514f9ebc943 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
> }
> EXPORT_SYMBOL_GPL(is_hash_blacklisted);
>
> +int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> +{
> + if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
> + return -EPERM;
> +
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(is_binary_blacklisted);
> +
> /*
> * Initialise the blacklist
> */
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index c1a96fdf598b..fb8b07daa9d1 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
> extern int mark_hash_blacklisted(const char *hash);
> extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type);
> +extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
> #else
> static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type)
> {
> return 0;
> }
> +
> +static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> +{
> + return 0;
> +}
> #endif
>
> #ifdef CONFIG_IMA_BLACKLIST_KEYRING