Re: [PATCH v5 08/12] KEYS: integrity: change link restriction to trust the machine keyring
From: Mimi Zohar
Date: Thu Sep 09 2021 - 13:27:43 EST
Hi Eric,
On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote:
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 955bd57815f4..747f0c528fec 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -89,7 +89,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
> if (!restriction)
> panic("Can't allocate secondary trusted keyring restriction\n");
>
> - restriction->check = restrict_link_by_builtin_and_secondary_trusted;
> + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
> + restriction->check = restrict_link_by_builtin_secondary_and_ca_trusted;
Returning the new restriction in a function named
get_builtin_and_secondary_restriction() is kind of weird. Renaming the
function to get_secondary_restriction() would be clearer.
thanks,
Mimi