Revert "ima: define '_ima' as a builtin 'trusted' keyring"
authorLinus Torvalds <torvalds@linux-foundation.org>
Sun, 24 Nov 2013 00:36:35 +0000 (16:36 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Sun, 24 Nov 2013 00:36:35 +0000 (16:36 -0800)
This reverts commit 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241, which
caused the following build error:

  security/integrity/digsig.c:70:5: error: redefinition of ‘integrity_init_keyring’
  security/integrity/integrity.h:149:12: note: previous definition of ‘integrity_init_keyring’ w
  security/integrity/integrity.h:149:12: warning: ‘integrity_init_keyring’ defined but not used

reported by Krzysztof Kolasa. Mimi says:

 "I made the classic mistake of requesting this patch to be upstreamed
  at the last second, rather than waiting until the next open window.

  At this point, the best course would probably be to revert the two
  commits and fix them for the next open window"

Reported-by: Krzysztof Kolasa <kkolasa@winsoft.pl>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
security/integrity/digsig.c
security/integrity/ima/Kconfig
security/integrity/ima/ima_appraise.c
security/integrity/integrity.h

index 77ca965ab684e67e2809dc16f024728d8df41c70..b4af4ebc5be284d7f2665a5266be6a5bf267a683 100644 (file)
@@ -13,9 +13,7 @@
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/err.h>
-#include <linux/sched.h>
 #include <linux/rbtree.h>
-#include <linux/cred.h>
 #include <linux/key-type.h>
 #include <linux/digsig.h>
 
 
 static struct key *keyring[INTEGRITY_KEYRING_MAX];
 
-#ifdef CONFIG_IMA_TRUSTED_KEYRING
-static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
-       ".evm",
-       ".module",
-       ".ima",
-};
-#else
 static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
        "_evm",
        "_module",
        "_ima",
 };
-#endif
 
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
                            const char *digest, int digestlen)
@@ -45,7 +35,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 
        if (!keyring[id]) {
                keyring[id] =
-                   request_key(&key_type_keyring, keyring_name[id], NULL);
+                       request_key(&key_type_keyring, keyring_name[id], NULL);
                if (IS_ERR(keyring[id])) {
                        int err = PTR_ERR(keyring[id]);
                        pr_err("no %s keyring: %d\n", keyring_name[id], err);
@@ -66,21 +56,3 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 
        return -EOPNOTSUPP;
 }
-
-int integrity_init_keyring(const unsigned int id)
-{
-       const struct cred *cred = current_cred();
-       const struct user_struct *user = cred->user;
-
-       keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
-                                   KGIDT_INIT(0), cred,
-                                   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
-                                    KEY_USR_VIEW | KEY_USR_READ),
-                                   KEY_ALLOC_NOT_IN_QUOTA, user->uid_keyring);
-       if (!IS_ERR(keyring[id]))
-               set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
-       else
-               pr_info("Can't allocate %s keyring (%ld)\n",
-                       keyring_name[id], PTR_ERR(keyring[id]));
-       return 0;
-}
index dad8d4ca2437fd608b73218993b23c3275c65b8d..81a27971d884215bc20e71d756f6778893ae1d67 100644 (file)
@@ -123,11 +123,3 @@ config IMA_APPRAISE
          For more information on integrity appraisal refer to:
          <http://linux-ima.sourceforge.net>
          If unsure, say N.
-
-config IMA_TRUSTED_KEYRING
-       bool "Require all keys on the _ima keyring be signed"
-       depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
-       default y
-       help
-          This option requires that all keys added to the _ima
-          keyring be signed by a key on the system trusted keyring.
index 46353ee517f6f321a738b067584d7e62dd8872fe..734e9468aca01c9a3724a57136f6d8bf371951f3 100644 (file)
@@ -381,14 +381,3 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
        }
        return result;
 }
-
-#ifdef CONFIG_IMA_TRUSTED_KEYRING
-static int __init init_ima_keyring(void)
-{
-       int ret;
-
-       ret = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
-       return 0;
-}
-late_initcall(init_ima_keyring);
-#endif
index b9e7c133734a2dc5796fe98f5c15f8c81ebc5d26..2fb5e53e927f2bf5432a34af1251c89f359d90f7 100644 (file)
@@ -137,19 +137,12 @@ static inline int integrity_digsig_verify(const unsigned int id,
 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
 int asymmetric_verify(struct key *keyring, const char *sig,
                      int siglen, const char *data, int datalen);
-
-int integrity_init_keyring(const unsigned int id);
 #else
 static inline int asymmetric_verify(struct key *keyring, const char *sig,
                                    int siglen, const char *data, int datalen)
 {
        return -EOPNOTSUPP;
 }
-
-static int integrity_init_keyring(const unsigned int id)
-{
-       return 0;
-}
 #endif
 
 #ifdef CONFIG_INTEGRITY_AUDIT