Google Git
Sign in
linux / linux / kernel / git / zohar / linux-integrity / refs/heads/next-4.4
commit72e1eed8abb11c79749266d433c817ce36732893[log] [tgz]
authorDmitry Kasatkin <dmitry.kasatkin@gmail.com>Thu Sep 10 22:06:15 2015 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>Fri Oct 09 15:31:18 2015 -0400
tree6afb6aa08f190047c5d7d15178d3ba56780a5789
parent049e6dde7e57f0054fdc49102e7ef4830c698b46 [diff]
integrity: prevent loading untrusted certificates on the IMA trusted keyring

If IMA_LOAD_X509 is enabled, either directly or indirectly via
IMA_APPRAISE_SIGNED_INIT, certificates are loaded onto the IMA
trusted keyring by the kernel via key_create_or_update(). When
the KEY_ALLOC_TRUSTED flag is provided, certificates are loaded
without first verifying the certificate is properly signed by a
trusted key on the system keyring.  This patch removes the
KEY_ALLOC_TRUSTED flag.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Cc:  <stable@vger.kernel.org> # 3.19+
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
1 file changed
tree: 6afb6aa08f190047c5d7d15178d3ba56780a5789
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .get_maintainer.ignore
  24. .gitignore
  25. .mailmap
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. README
  33. REPORTING-BUGS