Revert "integrity: Add key domain tag to the search criteria"

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G
CVE: NA

--------------------------------

This reverts commit 1939da70.
Signed-off-by: NZhang Tianxing <zhangtianxing3@huawei.com>
Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

include/linux/digsig.h

@@ -44,16 +44,13 @@ struct signature_hdr {
 
 #if defined(CONFIG_SIGNATURE) || defined(CONFIG_SIGNATURE_MODULE)
 
-int digsig_verify(struct key *keyring, struct key_tag *domain_tag,
-		  const char *sig, int siglen, const char *digest,
-		  int digestlen);
+int digsig_verify(struct key *keyring, const char *sig, int siglen,
+					const char *digest, int digestlen);
 
 #else
 
-static inline int digsig_verify(struct key *keyring,
-				struct key_tag *domain_tag,
-				const char *sig, int siglen, const char *digest,
-				int digestlen)
+static inline int digsig_verify(struct key *keyring, const char *sig,
+				int siglen, const char *digest, int digestlen)
 {
 	return -EOPNOTSUPP;
 }

lib/digsig.c

@@ -196,8 +196,8 @@ static int digsig_verify_rsa(struct key *key,
  * Normally hash of the content is used as a data for this function.
  *
  */
-int digsig_verify(struct key *keyring, struct key_tag *domain_tag,
-		  const char *sig, int siglen, const char *data, int datalen)
+int digsig_verify(struct key *keyring, const char *sig, int siglen,
+						const char *data, int datalen)
 {
 	int err = -ENOMEM;
 	struct signature_hdr *sh = (struct signature_hdr *)sig;
@@ -217,15 +217,14 @@ int digsig_verify(struct key *keyring, struct key_tag *domain_tag,
 	if (keyring) {
 		/* search in specific keyring */
 		key_ref_t kref;
-		kref = keyring_search_tag(make_key_ref(keyring, 1UL),
-					  &key_type_user, name,
-					  domain_tag, true);
+		kref = keyring_search(make_key_ref(keyring, 1UL),
+				      &key_type_user, name, true);
 		if (IS_ERR(kref))
 			key = ERR_CAST(kref);
 		else
 			key = key_ref_to_ptr(kref);
 	} else {
-		key = request_key_tag(&key_type_user, name, domain_tag, NULL);
+		key = request_key(&key_type_user, name, NULL);
 	}
 	if (IS_ERR(key)) {
 		pr_err("key not found, id: %s\n", name);

security/integrity/digsig.c

@@ -16,7 +16,6 @@
 #include <linux/vmalloc.h>
 #include <crypto/public_key.h>
 #include <keys/system_keyring.h>
-#include <linux/ima.h>
 
 #include "integrity.h"
 
@@ -33,16 +32,6 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
 	".platform",
 };
 
-static unsigned long keyring_alloc_flags[INTEGRITY_KEYRING_MAX] = {
-	KEY_ALLOC_NOT_IN_QUOTA,
-#ifdef CONFIG_IMA_NS
-	KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_DOMAIN_IMA,
-#else
-	KEY_ALLOC_NOT_IN_QUOTA,
-#endif
-	KEY_ALLOC_NOT_IN_QUOTA,
-};
-
 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
 #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
 #else
@@ -68,22 +57,10 @@ static struct key *integrity_keyring_from_id(const unsigned int id)
 	return keyring[id];
 }
 
-static struct key_tag *domain_tag_from_id(const unsigned int id)
-{
-	if (id >= INTEGRITY_KEYRING_MAX)
-		return ERR_PTR(-EINVAL);
-
-	if (id == INTEGRITY_KEYRING_IMA)
-		return current->nsproxy->ima_ns->key_domain;
-
-	return NULL;
-}
-
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 			    const char *digest, int digestlen)
 {
 	struct key *keyring;
-	struct key_tag *domain_tag;
 
 	if (siglen < 2)
 		return -EINVAL;
@@ -92,18 +69,14 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 	if (IS_ERR(keyring))
 		return PTR_ERR(keyring);
 
-	domain_tag = domain_tag_from_id(id);
-	if (IS_ERR(domain_tag))
-		return PTR_ERR(domain_tag);
-
 	switch (sig[1]) {
 	case 1:
 		/* v1 API expect signature without xattr type */
-		return digsig_verify(keyring, domain_tag,
-				     sig + 1, siglen - 1, digest, digestlen);
+		return digsig_verify(keyring, sig + 1, siglen - 1, digest,
+				     digestlen);
 	case 2:
-		return asymmetric_verify(keyring, domain_tag, sig, siglen,
-					 digest, digestlen);
+		return asymmetric_verify(keyring, sig, siglen, digest,
+					 digestlen);
 	}
 
 	return -EOPNOTSUPP;
@@ -129,8 +102,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
 
 	keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
 				    KGIDT_INIT(0), cred, perm,
-				    keyring_alloc_flags[id],
-				    restriction, NULL);
+				    KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL);
 	if (IS_ERR(keyring[id])) {
 		err = PTR_ERR(keyring[id]);
 		pr_info("Can't allocate %s keyring (%d)\n",
@@ -182,7 +154,7 @@ int __init integrity_add_key(const unsigned int id, const void *data,
 
 	key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
 				   NULL, data, size, perm,
-				   keyring_alloc_flags[id]);
+				   KEY_ALLOC_NOT_IN_QUOTA);
 	if (IS_ERR(key)) {
 		rc = PTR_ERR(key);
 		pr_err("Problem loading X.509 certificate %d\n", rc);

security/integrity/digsig_asymmetric.c

@@ -20,9 +20,7 @@
 /*
  * Request an asymmetric key.
  */
-static struct key *request_asymmetric_key(struct key *keyring,
-					  struct key_tag *domain_tag,
-					  uint32_t keyid)
+static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
 {
 	struct key *key;
 	char name[12];
@@ -47,16 +45,14 @@ static struct key *request_asymmetric_key(struct key *keyring,
 		/* search in specific keyring */
 		key_ref_t kref;
 
-		kref = keyring_search_tag(make_key_ref(keyring, 1),
-					  &key_type_asymmetric, name,
-					  domain_tag, true);
+		kref = keyring_search(make_key_ref(keyring, 1),
+				      &key_type_asymmetric, name, true);
 		if (IS_ERR(kref))
 			key = ERR_CAST(kref);
 		else
 			key = key_ref_to_ptr(kref);
 	} else {
-		key = request_key_tag(&key_type_asymmetric,
-				      name, domain_tag, NULL);
+		key = request_key(&key_type_asymmetric, name, NULL);
 	}
 
 	if (IS_ERR(key)) {
@@ -93,9 +89,8 @@ static struct key *request_asymmetric_key(struct key *keyring,
 	return key;
 }
 
-int asymmetric_verify(struct key *keyring, struct key_tag *domain_tag,
-		      const char *sig, int siglen,
-		      const char *data, int datalen)
+int asymmetric_verify(struct key *keyring, const char *sig,
+		      int siglen, const char *data, int datalen)
 {
 	struct public_key_signature pks;
 	struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
@@ -113,8 +108,7 @@ int asymmetric_verify(struct key *keyring, struct key_tag *domain_tag,
 	if (hdr->hash_algo >= HASH_ALGO__LAST)
 		return -ENOPKG;
 
-	key = request_asymmetric_key(keyring, domain_tag,
-				     be32_to_cpu(hdr->keyid));
+	key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid));
 	if (IS_ERR(key))
 		return PTR_ERR(key);
 

security/integrity/integrity.h

@@ -256,14 +256,11 @@ static inline int __init integrity_load_cert(const unsigned int id,
 #endif /* CONFIG_INTEGRITY_SIGNATURE */
 
 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
-int asymmetric_verify(struct key *keyring, struct key_tag *domain_tag,
-		      const char *sig, int siglen,
-		      const char *data, int datalen);
+int asymmetric_verify(struct key *keyring, const char *sig,
+		      int siglen, const char *data, int datalen);
 #else
-static inline int asymmetric_verify(struct key *keyring,
-				    struct key_tag *domain_tag,
-				    const char *sig, int siglen,
-				    const char *data, int datalen)
+static inline int asymmetric_verify(struct key *keyring, const char *sig,
+				    int siglen, const char *data, int datalen)
 {
 	return -EOPNOTSUPP;
 }