Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 501f1bde authored by Mimi Zohar's avatar Mimi Zohar
Browse files

IMA: prevent keys on the .ima_blacklist from being removed 



Set the KEY_FLAGS_KEEP on the .ima_blacklist to prevent userspace
from removing keys from the keyring.

Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent d3600bcf

security/integrity/ima/ima_mok.c

+2 −0
Original line number Diff line number Diff line
@@ -47,7 +47,9 @@ __init int ima_mok_init(void) 
	if (IS_ERR(ima_mok_keyring) || IS_ERR(ima_blacklist_keyring))

		panic("Can't allocate IMA MOK or blacklist keyrings.");

	set_bit(KEY_FLAG_TRUSTED_ONLY, &ima_mok_keyring->flags);



	set_bit(KEY_FLAG_TRUSTED_ONLY, &ima_blacklist_keyring->flags);

	set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags);

	return 0;

}