[3.19.y-ckt stable] Patch "integrity: prevent loading untrusted certificates on the IMA trusted keyring" has been added to staging queue
Kamal Mostafa
kamal at canonical.com
Mon Nov 30 22:09:19 UTC 2015
This is a note to let you know that I have just added a patch titled
integrity: prevent loading untrusted certificates on the IMA trusted keyring
to the linux-3.19.y-queue branch of the 3.19.y-ckt extended stable tree
which can be found at:
http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.19.y-queue
This patch is scheduled to be released in version 3.19.8-ckt11.
If you, or anyone else, feels it should not be added to this tree, please
reply to this email.
For more information about the 3.19.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
Thanks.
-Kamal
------
>From 0a45d28fb232124ff57f385291e217901f1daf06 Mon Sep 17 00:00:00 2001
From: Dmitry Kasatkin <dmitry.kasatkin at gmail.com>
Date: Thu, 10 Sep 2015 22:06:15 +0300
Subject: integrity: prevent loading untrusted certificates on the IMA trusted
keyring
commit 72e1eed8abb11c79749266d433c817ce36732893 upstream.
If IMA_LOAD_X509 is enabled, either directly or indirectly via
IMA_APPRAISE_SIGNED_INIT, certificates are loaded onto the IMA
trusted keyring by the kernel via key_create_or_update(). When
the KEY_ALLOC_TRUSTED flag is provided, certificates are loaded
without first verifying the certificate is properly signed by a
trusted key on the system keyring. This patch removes the
KEY_ALLOC_TRUSTED flag.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin at huawei.com>
Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
security/integrity/digsig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 5e3bd72..972eb24 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -105,7 +105,7 @@ int __init integrity_load_x509(const unsigned int id, char *path)
rc,
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ),
- KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED);
+ KEY_ALLOC_NOT_IN_QUOTA);
if (IS_ERR(key)) {
rc = PTR_ERR(key);
pr_err("Problem loading X.509 certificate (%d): %s\n",
--
1.9.1
More information about the kernel-team
mailing list