[PATCH v5 08/12] KEYS: integrity: change link restriction to trust the machine keyring

Mimi Zohar zohar at linux.ibm.com
Thu Sep 9 17:27:04 UTC 2021


Hi Eric,

On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote:

> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 955bd57815f4..747f0c528fec 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -89,7 +89,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
>  	if (!restriction)
>  		panic("Can't allocate secondary trusted keyring restriction\n");
>  
> -	restriction->check = restrict_link_by_builtin_and_secondary_trusted;
> +	if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
> +		restriction->check = restrict_link_by_builtin_secondary_and_ca_trusted;

Returning the new restriction in a function named
get_builtin_and_secondary_restriction() is kind of weird.  Renaming the
function to get_secondary_restriction() would be clearer.

thanks,

Mimi



More information about the Linux-security-module-archive mailing list