integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca

Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to restrict_link_by_ca. This will only allow CA keys into the machine keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
0day-ci · Nov 16, 2021 · 37da84e92e00618ed2df4af65f5c07b16d6a04c0 · 37da84e
1 parent ecc9dac
commit 37da84e92e00618ed2df4af65f5c07b16d6a04c0
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
@@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id)
 		goto out;
 	}
 
-	if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))
+	if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) &&
+	    id != INTEGRITY_KEYRING_MACHINE)
 		return 0;
 
 	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
 	if (!restriction)
 		return -ENOMEM;
 
-	restriction->check = restrict_link_to_ima;
+	if (id == INTEGRITY_KEYRING_MACHINE)
+		restriction->check = restrict_link_by_ca;
+	else
+		restriction->check = restrict_link_to_ima;
 
 	/*
 	 * No additional keys shall be allowed to load into the machine