18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * Copyright (C) 2015 Juniper Networks, Inc. 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Author: 68c2ecf20Sopenharmony_ci * Petko Manolov <petko.manolov@konsulko.com> 78c2ecf20Sopenharmony_ci */ 88c2ecf20Sopenharmony_ci 98c2ecf20Sopenharmony_ci#include <linux/export.h> 108c2ecf20Sopenharmony_ci#include <linux/kernel.h> 118c2ecf20Sopenharmony_ci#include <linux/sched.h> 128c2ecf20Sopenharmony_ci#include <linux/cred.h> 138c2ecf20Sopenharmony_ci#include <linux/err.h> 148c2ecf20Sopenharmony_ci#include <linux/init.h> 158c2ecf20Sopenharmony_ci#include <linux/slab.h> 168c2ecf20Sopenharmony_ci#include <keys/system_keyring.h> 178c2ecf20Sopenharmony_ci 188c2ecf20Sopenharmony_ci 198c2ecf20Sopenharmony_cistruct key *ima_blacklist_keyring; 208c2ecf20Sopenharmony_ci 218c2ecf20Sopenharmony_ci/* 228c2ecf20Sopenharmony_ci * Allocate the IMA blacklist keyring 238c2ecf20Sopenharmony_ci */ 248c2ecf20Sopenharmony_cistatic __init int ima_mok_init(void) 258c2ecf20Sopenharmony_ci{ 268c2ecf20Sopenharmony_ci struct key_restriction *restriction; 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_ci pr_notice("Allocating IMA blacklist keyring.\n"); 298c2ecf20Sopenharmony_ci 308c2ecf20Sopenharmony_ci restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 318c2ecf20Sopenharmony_ci if (!restriction) 328c2ecf20Sopenharmony_ci panic("Can't allocate IMA blacklist restriction."); 338c2ecf20Sopenharmony_ci 348c2ecf20Sopenharmony_ci restriction->check = restrict_link_by_builtin_trusted; 358c2ecf20Sopenharmony_ci 368c2ecf20Sopenharmony_ci ima_blacklist_keyring = keyring_alloc(".ima_blacklist", 378c2ecf20Sopenharmony_ci KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 388c2ecf20Sopenharmony_ci (KEY_POS_ALL & ~KEY_POS_SETATTR) | 398c2ecf20Sopenharmony_ci KEY_USR_VIEW | KEY_USR_READ | 408c2ecf20Sopenharmony_ci KEY_USR_WRITE | KEY_USR_SEARCH, 418c2ecf20Sopenharmony_ci KEY_ALLOC_NOT_IN_QUOTA | 428c2ecf20Sopenharmony_ci KEY_ALLOC_SET_KEEP, 438c2ecf20Sopenharmony_ci restriction, NULL); 448c2ecf20Sopenharmony_ci 458c2ecf20Sopenharmony_ci if (IS_ERR(ima_blacklist_keyring)) 468c2ecf20Sopenharmony_ci panic("Can't allocate IMA blacklist keyring."); 478c2ecf20Sopenharmony_ci return 0; 488c2ecf20Sopenharmony_ci} 498c2ecf20Sopenharmony_cidevice_initcall(ima_mok_init); 50