From: Nayna Jain nayna@linux.ibm.com
[ Upstream commit 2434f7d2d488c3301ae81f1031e1c66c6f076fb7 ]
The -EKEYREJECTED error returned by existing is_hash_blacklisted() is misleading when called for checking against blacklisted hash of a binary.
This patch adds a wrapper function is_binary_blacklisted() to return -EPERM error if binary is blacklisted.
Signed-off-by: Nayna Jain nayna@linux.ibm.com Reviewed-by: Mimi Zohar zohar@linux.ibm.com Signed-off-by: Michael Ellerman mpe@ellerman.id.au Link: https://lore.kernel.org/r/1572492694-6520-7-git-send-email-zohar@linux.ibm.c... Signed-off-by: Sasha Levin sashal@kernel.org --- certs/blacklist.c | 9 +++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 15 insertions(+)
diff --git a/certs/blacklist.c b/certs/blacklist.c index 025a41de28fd..f1c434b04b5e 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) } EXPORT_SYMBOL_GPL(is_hash_blacklisted);
+int is_binary_blacklisted(const u8 *hash, size_t hash_len) +{ + if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED) + return -EPERM; + + return 0; +} +EXPORT_SYMBOL_GPL(is_binary_blacklisted); + /* * Initialise the blacklist */ diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index c1a96fdf598b..fb8b07daa9d1 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted( extern int mark_hash_blacklisted(const char *hash); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type); +extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); #else static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) { return 0; } + +static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) +{ + return 0; +} #endif
#ifdef CONFIG_IMA_BLACKLIST_KEYRING