Merge tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity updates from Mimi Zohar: "Four integrity changes: two IMA-overlay updates, an integrity Kconfig cleanup, and a secondary keyring update" * tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: detect changes to the backing overlay file certs: Only allow certs signed by keys on the builtin keyring integrity: fix indentation of config attributes ima: annotate iint mutex to avoid lockdep false positive warnings
author: Linus Torvalds <torvalds@linux-foundation.org> 2023-11-02 06:53:22 -1000
committer: Linus Torvalds <torvalds@linux-foundation.org> 2023-11-02 06:53:22 -1000
commit: ca219be012786654d5c802ee892433aaa0016d10 (patch)
tree: 027fe9e949f73c9661217adfbf4feaca5b14241c /crypto
parent: 21e80f3841c01aeaf32d7aee7bbc87b3db1aa0c6 (diff)
parent: b836c4d29f2744200b2af41e14bf50758dddc818 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 6b69ea40da23..afcd4d101ac5 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -102,6 +102,10 @@ int restrict_link_by_signature(struct key *dest_keyring,
 
 	if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
 		ret = -ENOKEY;
+	else if (IS_BUILTIN(CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN) &&
+		 !strcmp(dest_keyring->description, ".secondary_trusted_keys") &&
+		 !test_bit(KEY_FLAG_BUILTIN, &key->flags))
+		ret = -ENOKEY;
 	else
 		ret = verify_signature(key, sig);
 	key_put(key);
author	Linus Torvalds <torvalds@linux-foundation.org>	2023-11-02 06:53:22 -1000
committer	Linus Torvalds <torvalds@linux-foundation.org>	2023-11-02 06:53:22 -1000
commit	ca219be012786654d5c802ee892433aaa0016d10 (patch)
tree	027fe9e949f73c9661217adfbf4feaca5b14241c /crypto
parent	21e80f3841c01aeaf32d7aee7bbc87b3db1aa0c6 (diff)
parent	b836c4d29f2744200b2af41e14bf50758dddc818 (diff)