path: root/security/keys
diff options
authorLinus Torvalds <>2020-01-28 18:52:09 -0800
committerLinus Torvalds <>2020-01-28 18:52:09 -0800
commit73a0bff2058f2403c604371c325fec737ac2ac61 (patch)
treeb862ab7ec0b6bf155cc491ec34343ac1df25bfa9 /security/keys
parent2cf64d7cb20b04cf25e4ebffc37833298f1d4bde (diff)
parentd54e17b4066612d88c4ef3e5fb3115f12733763d (diff)
Merge branch 'next-integrity' of git://
Pull IMA updates from Mimi Zohar: "Two new features - measuring certificates and querying IMA for a file hash - and three bug fixes: - Measuring certificates is like the rest of IMA, based on policy, but requires loading a custom policy. Certificates loaded onto a keyring, for example during early boot, before a custom policy has been loaded, are queued and only processed after loading the custom policy. - IMA calculates and caches files hashes. Other kernel subsystems, and possibly kernel modules, are interested in accessing these cached file hashes. The bug fixes prevent classifying a file short read (e.g. shutdown) as an invalid file signature, add a missing blank when displaying the securityfs policy rules containing LSM labels, and, lastly, fix the handling of the IMA policy information for unknown LSM labels" * 'next-integrity' of git:// IMA: Defined delayed workqueue to free the queued keys IMA: Call workqueue functions to measure queued keys IMA: Define workqueue for early boot key measurements IMA: pre-allocate buffer to hold keyrings string ima: ima/lsm policy rule loading logic bug fixes ima: add the ability to query the cached hash of a given file ima: Add a space after printing LSM rules for readability IMA: fix measuring asymmetric keys Kconfig IMA: Read keyrings= option from the IMA policy IMA: Add support to limit measuring keys KEYS: Call the IMA hook to measure keys IMA: Define an IMA hook to measure keys IMA: Add KEY_CHECK func to measure keys IMA: Check IMA policy flag ima: avoid appraise error for hash calc interrupt
Diffstat (limited to 'security/keys')
1 files changed, 10 insertions, 0 deletions
diff --git a/security/keys/key.c b/security/keys/key.c
index 764f4c57913e..718bf7217420 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -13,6 +13,7 @@
#include <linux/security.h>
#include <linux/workqueue.h>
#include <linux/random.h>
+#include <linux/ima.h>
#include <linux/err.h>
#include "internal.h"
@@ -936,6 +937,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
goto error_link_end;
+ ima_post_key_create_or_update(keyring, key, payload, plen,
+ flags, true);
key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
@@ -965,6 +969,12 @@ error:
key_ref = __key_update(key_ref, &prep);
+ if (!IS_ERR(key_ref))
+ ima_post_key_create_or_update(keyring, key,
+ payload, plen,
+ flags, false);
goto error_free_prep;