diff options
| author |  Linus Torvalds <torvalds@linux-foundation.org>
| 2023-11-02 06:53:22 -1000 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org>
| 2023-11-02 06:53:22 -1000 |
| commit | ca219be012786654d5c802ee892433aaa0016d10 (patch) | |
| tree | 027fe9e949f73c9661217adfbf4feaca5b14241c /crypto | |
| parent | Merge tag 'modules-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/... (diff) | |
| parent | ima: detect changes to the backing overlay file (diff) | |
| download | linux-ca219be012786654d5c802ee892433aaa0016d10.tar.gz linux-ca219be012786654d5c802ee892433aaa0016d10.tar.bz2 linux-ca219be012786654d5c802ee892433aaa0016d10.zip | |
Merge tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity updates from Mimi Zohar:
"Four integrity changes: two IMA-overlay updates, an integrity Kconfig
cleanup, and a secondary keyring update"
* tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
ima: detect changes to the backing overlay file
certs: Only allow certs signed by keys on the builtin keyring
integrity: fix indentation of config attributes
ima: annotate iint mutex to avoid lockdep false positive warnings
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/asymmetric_keys/restrict.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b69ea40da23..afcd4d101ac5 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -102,6 +102,10 @@ int restrict_link_by_signature(struct key *dest_keyring, if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) ret = -ENOKEY; + else if (IS_BUILTIN(CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN) && + !strcmp(dest_keyring->description, ".secondary_trusted_keys") && + !test_bit(KEY_FLAG_BUILTIN, &key->flags)) + ret = -ENOKEY; else ret = verify_signature(key, sig); key_put(key); |