commit 34ef7bd3823bf4401bf8f1f855e1bc77b82b1a43
author Linus Torvalds <torvalds@linux-foundation.org> Sat Nov 23 16:36:35 2013 -0800
committer Linus Torvalds <torvalds@linux-foundation.org> Sat Nov 23 16:36:35 2013 -0800
tree 80b9e7de72353048b5e933d634d64bd14d0eb00c
parent 26b265cd29dde56bf0901c421eabc7ae815f38c4

Revert "ima: define '_ima' as a builtin 'trusted' keyring"

This reverts commit 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241, which
caused the following build error:

  security/integrity/digsig.c:70:5: error: redefinition of ‘integrity_init_keyring’
  security/integrity/integrity.h:149:12: note: previous definition of ‘integrity_init_keyring’ w
  security/integrity/integrity.h:149:12: warning: ‘integrity_init_keyring’ defined but not used

reported by Krzysztof Kolasa. Mimi says:

 "I made the classic mistake of requesting this patch to be upstreamed
  at the last second, rather than waiting until the next open window.

  At this point, the best course would probably be to revert the two
  commits and fix them for the next open window"

Reported-by: Krzysztof Kolasa <kkolasa@winsoft.pl>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

security/integrity/digsig.c

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 77ca965..b4af4eb 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -13,9 +13,7 @@
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/err.h>
-#include <linux/sched.h>
 #include <linux/rbtree.h>
-#include <linux/cred.h>
 #include <linux/key-type.h>
 #include <linux/digsig.h>
 
@@ -23,19 +21,11 @@
 
 static struct key *keyring[INTEGRITY_KEYRING_MAX];
 
-#ifdef CONFIG_IMA_TRUSTED_KEYRING
-static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
-	".evm",
-	".module",
-	".ima",
-};
-#else
 static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
 	"_evm",
 	"_module",
 	"_ima",
 };
-#endif
 
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 			    const char *digest, int digestlen)
@@ -45,7 +35,7 @@
 
 	if (!keyring[id]) {
 		keyring[id] =
-		    request_key(&key_type_keyring, keyring_name[id], NULL);
+			request_key(&key_type_keyring, keyring_name[id], NULL);
 		if (IS_ERR(keyring[id])) {
 			int err = PTR_ERR(keyring[id]);
 			pr_err("no %s keyring: %d\n", keyring_name[id], err);
@@ -66,21 +56,3 @@
 
 	return -EOPNOTSUPP;
 }
-
-int integrity_init_keyring(const unsigned int id)
-{
-	const struct cred *cred = current_cred();
-	const struct user_struct *user = cred->user;
-
-	keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
-				    KGIDT_INIT(0), cred,
-				    ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
-				     KEY_USR_VIEW | KEY_USR_READ),
-				    KEY_ALLOC_NOT_IN_QUOTA, user->uid_keyring);
-	if (!IS_ERR(keyring[id]))
-		set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
-	else
-		pr_info("Can't allocate %s keyring (%ld)\n",
-			keyring_name[id], PTR_ERR(keyring[id]));
-	return 0;
-}