From: Ajo Jose Panoor ajo.jose.panoor@huawei.com

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4C9AE CVE: NA

-----------------------------------------------------------------

As part of the imans support, a key domain tag is added to the search criteria in digsig module. When IMA Namespace is disabled, the initial ima namespace domain tag should be used instead of nsproxy.

Signed-off-by: Ajo Jose Panoor ajo.jose.panoor@huawei.com Reviewed-by: Zhang Tianxing zhangtianxing3@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- security/integrity/digsig.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 2c923dc0dbd3..c866a5c2c9b1 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -74,8 +74,11 @@ static struct key_tag *domain_tag_from_id(const unsigned int id) return ERR_PTR(-EINVAL);

if (id == INTEGRITY_KEYRING_IMA) +#ifdef CONFIG_IMA_NS return current->nsproxy->ima_ns->key_domain; - +#else + return init_ima_ns.key_domain; +#endif return NULL; }