integrity: prevent flooding with 'Request for unknown key'

If file has IMA signature, IMA in enforce mode, but key is missing
then file access is blocked and single error message is printed.

If IMA appraisal is enabled in fix mode, then system runs as usual
but might produce tons of 'Request for unknown key' messages.

This patch switches 'pr_warn' to 'pr_err_ratelimited'.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 9eae4809006be6f364ed9e5fe31ccb897381b856..37e0d98517a89c7929eab09cbc7f36e3a78ff65c 100644 (file)
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -13,6 +13,7 @@
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/err.h>
+#include <linux/ratelimit.h>
 #include <linux/key-type.h>
 #include <crypto/public_key.h>
 #include <keys/asymmetric-type.h>
@@ -45,8 +46,8 @@ static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
        }
 
        if (IS_ERR(key)) {
-               pr_warn("Request for unknown key '%s' err %ld\n",
-                       name, PTR_ERR(key));
+               pr_err_ratelimited("Request for unknown key '%s' err %ld\n",
+                                  name, PTR_ERR(key));
                switch (PTR_ERR(key)) {
                        /* Hide some search errors */
                case -EACCES: