Revert "ima: define '_ima' as a builtin 'trusted' keyring"

This reverts commit 217091dd7a, which
caused the following build error:

  security/integrity/digsig.c:70:5: error: redefinition of ‘integrity_init_keyring’
  security/integrity/integrity.h:149:12: note: previous definition of ‘integrity_init_keyring’ w
  security/integrity/integrity.h:149:12: warning: ‘integrity_init_keyring’ defined but not used

reported by Krzysztof Kolasa. Mimi says:

 "I made the classic mistake of requesting this patch to be upstreamed
  at the last second, rather than waiting until the next open window.

  At this point, the best course would probably be to revert the two
  commits and fix them for the next open window"

Reported-by: Krzysztof Kolasa <kkolasa@winsoft.pl>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Linus Torvalds 2013-11-23 16:36:35 -08:00
parent 26b265cd29
commit 34ef7bd382
4 changed files with 1 additions and 55 deletions

View File

@ -13,9 +13,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/err.h>
#include <linux/sched.h>
#include <linux/rbtree.h>
#include <linux/cred.h>
#include <linux/key-type.h>
#include <linux/digsig.h>
@ -23,19 +21,11 @@
static struct key *keyring[INTEGRITY_KEYRING_MAX];
#ifdef CONFIG_IMA_TRUSTED_KEYRING
static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
".evm",
".module",
".ima",
};
#else
static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
"_evm",
"_module",
"_ima",
};
#endif
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen)
@ -45,7 +35,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
if (!keyring[id]) {
keyring[id] =
request_key(&key_type_keyring, keyring_name[id], NULL);
request_key(&key_type_keyring, keyring_name[id], NULL);
if (IS_ERR(keyring[id])) {
int err = PTR_ERR(keyring[id]);
pr_err("no %s keyring: %d\n", keyring_name[id], err);
@ -66,21 +56,3 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
return -EOPNOTSUPP;
}
int integrity_init_keyring(const unsigned int id)
{
const struct cred *cred = current_cred();
const struct user_struct *user = cred->user;
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
KGIDT_INIT(0), cred,
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ),
KEY_ALLOC_NOT_IN_QUOTA, user->uid_keyring);
if (!IS_ERR(keyring[id]))
set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
else
pr_info("Can't allocate %s keyring (%ld)\n",
keyring_name[id], PTR_ERR(keyring[id]));
return 0;
}

View File

@ -123,11 +123,3 @@ config IMA_APPRAISE
For more information on integrity appraisal refer to:
<http://linux-ima.sourceforge.net>
If unsure, say N.
config IMA_TRUSTED_KEYRING
bool "Require all keys on the _ima keyring be signed"
depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
default y
help
This option requires that all keys added to the _ima
keyring be signed by a key on the system trusted keyring.

View File

@ -381,14 +381,3 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
}
return result;
}
#ifdef CONFIG_IMA_TRUSTED_KEYRING
static int __init init_ima_keyring(void)
{
int ret;
ret = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
return 0;
}
late_initcall(init_ima_keyring);
#endif

View File

@ -137,19 +137,12 @@ static inline int integrity_digsig_verify(const unsigned int id,
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen);
int integrity_init_keyring(const unsigned int id);
#else
static inline int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen)
{
return -EOPNOTSUPP;
}
static int integrity_init_keyring(const unsigned int id)
{
return 0;
}
#endif
#ifdef CONFIG_INTEGRITY_AUDIT