diff options
| author | Alexei Starovoitov <ast@kernel.org> | 2024-10-24 18:45:59 -0700 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2024-10-24 18:47:28 -0700 |
| commit | bfa7b5c98be4bdcf8aaa4e5ca0b91359ea28c05c (patch) | |
| tree | 751b70005cb6641c42e90191f35dac731459a6ec /security/ipe/policy.c | |
| parent | Merge branch 'share-user-memory-to-bpf-program-through-task-storage-map' (diff) | |
| parent | Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf (diff) | |
| download | linux-bfa7b5c98be4bdcf8aaa4e5ca0b91359ea28c05c.tar.gz linux-bfa7b5c98be4bdcf8aaa4e5ca0b91359ea28c05c.zip | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Cross-merge bpf fixes after downstream PR.
No conflicts.
Adjacent changes in:
include/linux/bpf.h
include/uapi/linux/bpf.h
kernel/bpf/btf.c
kernel/bpf/helpers.c
kernel/bpf/syscall.c
kernel/bpf/verifier.c
kernel/trace/bpf_trace.c
mm/slab_common.c
tools/include/uapi/linux/bpf.h
tools/testing/selftests/bpf/Makefile
Link: https://lore.kernel.org/all/20241024215724.60017-1-daniel@iogearbox.net/
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'security/ipe/policy.c')
| -rw-r--r-- | security/ipe/policy.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/security/ipe/policy.c b/security/ipe/policy.c index d8e7db857a2e..b628f696e32b 100644 --- a/security/ipe/policy.c +++ b/security/ipe/policy.c @@ -106,8 +106,8 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen, goto err; } - if (ver_to_u64(old) > ver_to_u64(new)) { - rc = -EINVAL; + if (ver_to_u64(old) >= ver_to_u64(new)) { + rc = -ESTALE; goto err; } @@ -169,9 +169,21 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen, goto err; } - rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL, + rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, +#ifdef CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING + VERIFY_USE_SECONDARY_KEYRING, +#else + NULL, +#endif VERIFYING_UNSPECIFIED_SIGNATURE, set_pkcs7_data, new); +#ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING + if (rc == -ENOKEY || rc == -EKEYREJECTED) + rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_UNSPECIFIED_SIGNATURE, + set_pkcs7_data, new); +#endif if (rc) goto err; } else { |