forked from luck/tmp_suning_uos_patched
certs: Add wrapper function to check blacklisted binary hash
The -EKEYREJECTED error returned by existing is_hash_blacklisted() is misleading when called for checking against blacklisted hash of a binary. This patch adds a wrapper function is_binary_blacklisted() to return -EPERM error if binary is blacklisted. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/1572492694-6520-7-git-send-email-zohar@linux.ibm.com
This commit is contained in:
parent
e14555e3d0
commit
2434f7d2d4
|
@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
|
|||
}
|
||||
EXPORT_SYMBOL_GPL(is_hash_blacklisted);
|
||||
|
||||
int is_binary_blacklisted(const u8 *hash, size_t hash_len)
|
||||
{
|
||||
if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
|
||||
return -EPERM;
|
||||
|
||||
return 0;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(is_binary_blacklisted);
|
||||
|
||||
/*
|
||||
* Initialise the blacklist
|
||||
*/
|
||||
|
|
|
@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
|
|||
extern int mark_hash_blacklisted(const char *hash);
|
||||
extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
|
||||
const char *type);
|
||||
extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
|
||||
#else
|
||||
static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
|
||||
const char *type)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
|
||||
|
|
Loading…
Reference in New Issue
Block a user