summaryrefslogtreecommitdiffstats
path: root/security/integrity/digsig.c
diff options
context:
space:
mode:
authorChristoph Hellwig <hch@lst.de>2017-09-10 09:49:45 +0200
committerMimi Zohar <zohar@linux.vnet.ibm.com>2017-11-08 21:16:36 +0100
commita7d3d0392a325d630225b7dbccf2558f944114e5 (patch)
treefa0e65c07ebf6e6df340d6f0ab0b9f2ca62d3acd /security/integrity/digsig.c
parentima: always measure and audit files in policy (diff)
downloadlinux-a7d3d0392a325d630225b7dbccf2558f944114e5.tar.xz
linux-a7d3d0392a325d630225b7dbccf2558f944114e5.zip
integrity: use kernel_read_file_from_path() to read x509 certs
The CONFIG_IMA_LOAD_X509 and CONFIG_EVM_LOAD_X509 options permit loading x509 signed certificates onto the trusted keyrings without verifying the x509 certificate file's signature. This patch replaces the call to the integrity_read_file() specific function with the common kernel_read_file_from_path() function. To avoid verifying the file signature, this patch defines READING_X509_CERTFICATE. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/digsig.c')
-rw-r--r--security/integrity/digsig.c14
1 files changed, 9 insertions, 5 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 06554c448dce..6f9e4ce568cd 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -112,21 +112,25 @@ int __init integrity_init_keyring(const unsigned int id)
int __init integrity_load_x509(const unsigned int id, const char *path)
{
key_ref_t key;
- char *data;
+ void *data;
+ loff_t size;
int rc;
if (!keyring[id])
return -EINVAL;
- rc = integrity_read_file(path, &data);
- if (rc < 0)
+ rc = kernel_read_file_from_path(path, &data, &size, 0,
+ READING_X509_CERTIFICATE);
+ if (rc < 0) {
+ pr_err("Unable to open file: %s (%d)", path, rc);
return rc;
+ }
key = key_create_or_update(make_key_ref(keyring[id], 1),
"asymmetric",
NULL,
data,
- rc,
+ size,
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ),
KEY_ALLOC_NOT_IN_QUOTA);
@@ -139,6 +143,6 @@ int __init integrity_load_x509(const unsigned int id, const char *path)
key_ref_to_ptr(key)->description, path);
key_ref_put(key);
}
- kfree(data);
+ vfree(data);
return 0;
}