| 1 | // SPDX-License-Identifier: GPL-2.0-only |
|---|---|
| 2 | /* |
| 3 | * Copyright (C) 2015 Juniper Networks, Inc. |
| 4 | * |
| 5 | * Author: |
| 6 | * Petko Manolov <petko.manolov@konsulko.com> |
| 7 | */ |
| 8 | |
| 9 | #include <linux/export.h> |
| 10 | #include <linux/kernel.h> |
| 11 | #include <linux/sched.h> |
| 12 | #include <linux/cred.h> |
| 13 | #include <linux/err.h> |
| 14 | #include <linux/init.h> |
| 15 | #include <linux/slab.h> |
| 16 | #include <keys/system_keyring.h> |
| 17 | |
| 18 | |
| 19 | struct key *ima_blacklist_keyring; |
| 20 | |
| 21 | /* |
| 22 | * Allocate the IMA blacklist keyring |
| 23 | */ |
| 24 | static __init int ima_mok_init(void) |
| 25 | { |
| 26 | struct key_restriction *restriction; |
| 27 | |
| 28 | pr_notice("Allocating IMA blacklist keyring.\n"); |
| 29 | |
| 30 | restriction = kzalloc(size: sizeof(struct key_restriction), GFP_KERNEL); |
| 31 | if (!restriction) |
| 32 | panic(fmt: "Can't allocate IMA blacklist restriction."); |
| 33 | |
| 34 | restriction->check = restrict_link_by_builtin_trusted; |
| 35 | |
| 36 | ima_blacklist_keyring = keyring_alloc(description: ".ima_blacklist", |
| 37 | KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), |
| 38 | perm: (KEY_POS_ALL & ~KEY_POS_SETATTR) | |
| 39 | KEY_USR_VIEW | KEY_USR_READ | |
| 40 | KEY_USR_WRITE | KEY_USR_SEARCH, |
| 41 | KEY_ALLOC_NOT_IN_QUOTA | |
| 42 | KEY_ALLOC_SET_KEEP, |
| 43 | restrict_link: restriction, NULL); |
| 44 | |
| 45 | if (IS_ERR(ima_blacklist_keyring)) |
| 46 | panic("Can't allocate IMA blacklist keyring."); |
| 47 | return 0; |
| 48 | } |
| 49 | device_initcall(ima_mok_init); |
| 50 |