• David Howells's avatar
    IMA: Use the the system trusted keyrings instead of .ima_mok · 56104cf2
    David Howells authored
    Add a config option (IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
    that, when enabled, allows keys to be added to the IMA keyrings by
    userspace - with the restriction that each must be signed by a key in the
    system trusted keyrings.
    
    EPERM will be returned if this option is disabled, ENOKEY will be returned if
    no authoritative key can be found and EKEYREJECTED will be returned if the
    signature doesn't match.  Other errors such as ENOPKG may also be returned.
    
    If this new option is enabled, the builtin system keyring is searched, as is
    the secondary system keyring if that is also enabled.  Intermediate keys
    between the builtin system keyring and the key being added can be added to
    the secondary keyring (which replaces .ima_mok) to form a trust chain -
    provided they are also validly signed by a key in one of the trusted keyrings.
    
    The .ima_mok keyring is then removed and the IMA blacklist keyring gets its
    own config option (IMA_BLACKLIST_KEYRING).
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    56104cf2
system_keyring.h 1.36 KB