From 1d48e14a7a15b509650b554f8deb66d7fc82ccc1 Mon Sep 17 00:00:00 2001
From: Ajo Jose Panoor <ajo.jose.panoor@huawei.com>
Date: Fri, 8 Oct 2021 15:35:32 +0800
Subject: [PATCH] imans: Use initial ima namespace domain tag when IMANS is
 disabled.

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4C9AE
CVE: NA

-----------------------------------------------------------------

As part of the imans support, a key domain tag is added to the search
criteria in digsig module. When IMA Namespace is disabled, the initial
ima namespace domain tag should be used instead of nsproxy.

Signed-off-by: Ajo Jose Panoor <ajo.jose.panoor@huawei.com>
Reviewed-by: Zhang Tianxing <zhangtianxing3@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
 security/integrity/digsig.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 2c923dc0dbd3..c866a5c2c9b1 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -74,8 +74,11 @@ static struct key_tag *domain_tag_from_id(const unsigned int id)
 		return ERR_PTR(-EINVAL);
 
 	if (id == INTEGRITY_KEYRING_IMA)
+#ifdef CONFIG_IMA_NS
 		return current->nsproxy->ima_ns->key_domain;
-
+#else
+		return init_ima_ns.key_domain;
+#endif
 	return NULL;
 }
 
-- 
GitLab