aboutsummaryrefslogtreecommitdiff
path: root/security/ipe/policy.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/ipe/policy.c')
-rw-r--r--security/ipe/policy.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index d8e7db857a2e..b628f696e32b 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -106,8 +106,8 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
goto err;
}
- if (ver_to_u64(old) > ver_to_u64(new)) {
- rc = -EINVAL;
+ if (ver_to_u64(old) >= ver_to_u64(new)) {
+ rc = -ESTALE;
goto err;
}
@@ -169,9 +169,21 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
goto err;
}
- rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL,
+ rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
+#ifdef CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING
+ VERIFY_USE_SECONDARY_KEYRING,
+#else
+ NULL,
+#endif
VERIFYING_UNSPECIFIED_SIGNATURE,
set_pkcs7_data, new);
+#ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING
+ if (rc == -ENOKEY || rc == -EKEYREJECTED)
+ rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_UNSPECIFIED_SIGNATURE,
+ set_pkcs7_data, new);
+#endif
if (rc)
goto err;
} else {
Powered by cgit, Gruvboxed by Blaster4385.