integrity: use kernel_read_file_from_path() to read x509 certs

The CONFIG_IMA_LOAD_X509 and CONFIG_EVM_LOAD_X509 options permit loading x509 signed certificates onto the trusted keyrings without verifying the x509 certificate file's signature. This patch replaces the call to the integrity_read_file() specific function with the common kernel_read_file_from_path() function. To avoid verifying the file signature, this patch defines READING_X509_CERTFICATE. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Christoph Hellwig <hch@lst.de> 2017-09-10 09:49:45 +0200
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-11-08 15:16:36 -0500
commit: a7d3d0392a325d630225b7dbccf2558f944114e5 (patch)
tree: fa0e65c07ebf6e6df340d6f0ab0b9f2ca62d3acd /security/integrity/ima/ima_main.c
parent: f3cc6b25dcc5616f0d5c720009b2ac66f97df2ff (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 12738c8f39c2..d47f92e97f80 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -405,6 +405,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
 	if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
 		return 0;
 
+	/* permit signed certs */
+	if (!file && read_id == READING_X509_CERTIFICATE)
+		return 0;
+
 	if (!file || !buf || size == 0) { /* should never happen */
 		if (ima_appraise & IMA_APPRAISE_ENFORCE)
 			return -EACCES;
author	Christoph Hellwig <hch@lst.de>	2017-09-10 09:49:45 +0200
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2017-11-08 15:16:36 -0500
commit	a7d3d0392a325d630225b7dbccf2558f944114e5 (patch)
tree	fa0e65c07ebf6e6df340d6f0ab0b9f2ca62d3acd /security/integrity/ima/ima_main.c
parent	f3cc6b25dcc5616f0d5c720009b2ac66f97df2ff (diff)