integrity: prevent loading untrusted certificates on the IMA trusted keyring (72e1eed8) · Commits · Mirrors / github.com / raspberrypi_linux

Commit 72e1eed8 authored Sep 10, 2015 by

Dmitry Kasatkin Committed by Mimi Zohar Oct 09, 2015

integrity: prevent loading untrusted certificates on the IMA trusted keyring



If IMA_LOAD_X509 is enabled, either directly or indirectly via
IMA_APPRAISE_SIGNED_INIT, certificates are loaded onto the IMA
trusted keyring by the kernel via key_create_or_update(). When
the KEY_ALLOC_TRUSTED flag is provided, certificates are loaded
without first verifying the certificate is properly signed by a
trusted key on the system keyring.  This patch removes the
KEY_ALLOC_TRUSTED flag.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Cc:  <stable@vger.kernel.org> # 3.19+
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

parent 049e6dde

Hide whitespace changes

Inline Side-by-side

Please register or to comment