integrity: eliminate unnecessary "Problem loading X.509 certificate" msg

Currently when the kernel fails to add a cert to the .machine keyring,
it will throw an error immediately in the function integrity_add_key.

Since the kernel will try adding to the .platform keyring next or throw
an error (in the caller of integrity_add_key i.e. add_to_machine_keyring),
so there is no need to throw an error immediately in integrity_add_key.

Reported-by: itrymybest80@protonmail.com
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2239331
Fixes: d19967764ba8 ("integrity: Introduce a Linux keyring called machine")
Reviewed-by: Eric Snowberg <eric.snowberg@oracle.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index df387de29bfa54bf4bf0f7607a6837ec589ebfd5..45c3e5dda355e23f823086816d00e78071b1c15c 100644 (file)
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -179,7 +179,8 @@ static int __init integrity_add_key(const unsigned int id, const void *data,
                                   KEY_ALLOC_NOT_IN_QUOTA);
        if (IS_ERR(key)) {
                rc = PTR_ERR(key);
-               pr_err("Problem loading X.509 certificate %d\n", rc);
+               if (id != INTEGRITY_KEYRING_MACHINE)
+                       pr_err("Problem loading X.509 certificate %d\n", rc);
        } else {
                pr_notice("Loaded X.509 cert '%s'\n",
                          key_ref_to_ptr(key)->description);