1 | // SPDX-License-Identifier: GPL-2.0-only |
---|---|
2 | /* |
3 | * Copyright (C) 2015 Juniper Networks, Inc. |
4 | * |
5 | * Author: |
6 | * Petko Manolov <petko.manolov@konsulko.com> |
7 | */ |
8 | |
9 | #include <linux/export.h> |
10 | #include <linux/kernel.h> |
11 | #include <linux/sched.h> |
12 | #include <linux/cred.h> |
13 | #include <linux/err.h> |
14 | #include <linux/init.h> |
15 | #include <linux/slab.h> |
16 | #include <keys/system_keyring.h> |
17 | |
18 | |
19 | struct key *ima_blacklist_keyring; |
20 | |
21 | /* |
22 | * Allocate the IMA blacklist keyring |
23 | */ |
24 | static __init int ima_mok_init(void) |
25 | { |
26 | struct key_restriction *restriction; |
27 | |
28 | pr_notice("Allocating IMA blacklist keyring.\n"); |
29 | |
30 | restriction = kzalloc(size: sizeof(struct key_restriction), GFP_KERNEL); |
31 | if (!restriction) |
32 | panic(fmt: "Can't allocate IMA blacklist restriction."); |
33 | |
34 | restriction->check = restrict_link_by_builtin_trusted; |
35 | |
36 | ima_blacklist_keyring = keyring_alloc(description: ".ima_blacklist", |
37 | KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), |
38 | perm: (KEY_POS_ALL & ~KEY_POS_SETATTR) | |
39 | KEY_USR_VIEW | KEY_USR_READ | |
40 | KEY_USR_WRITE | KEY_USR_SEARCH, |
41 | KEY_ALLOC_NOT_IN_QUOTA | |
42 | KEY_ALLOC_SET_KEEP, |
43 | restrict_link: restriction, NULL); |
44 | |
45 | if (IS_ERR(ima_blacklist_keyring)) |
46 | panic("Can't allocate IMA blacklist keyring."); |
47 | return 0; |
48 | } |
49 | device_initcall(ima_mok_init); |
50 |