162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * Copyright (C) 2015 Juniper Networks, Inc. 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * Author: 662306a36Sopenharmony_ci * Petko Manolov <petko.manolov@konsulko.com> 762306a36Sopenharmony_ci */ 862306a36Sopenharmony_ci 962306a36Sopenharmony_ci#include <linux/export.h> 1062306a36Sopenharmony_ci#include <linux/kernel.h> 1162306a36Sopenharmony_ci#include <linux/sched.h> 1262306a36Sopenharmony_ci#include <linux/cred.h> 1362306a36Sopenharmony_ci#include <linux/err.h> 1462306a36Sopenharmony_ci#include <linux/init.h> 1562306a36Sopenharmony_ci#include <linux/slab.h> 1662306a36Sopenharmony_ci#include <keys/system_keyring.h> 1762306a36Sopenharmony_ci 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_cistruct key *ima_blacklist_keyring; 2062306a36Sopenharmony_ci 2162306a36Sopenharmony_ci/* 2262306a36Sopenharmony_ci * Allocate the IMA blacklist keyring 2362306a36Sopenharmony_ci */ 2462306a36Sopenharmony_cistatic __init int ima_mok_init(void) 2562306a36Sopenharmony_ci{ 2662306a36Sopenharmony_ci struct key_restriction *restriction; 2762306a36Sopenharmony_ci 2862306a36Sopenharmony_ci pr_notice("Allocating IMA blacklist keyring.\n"); 2962306a36Sopenharmony_ci 3062306a36Sopenharmony_ci restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 3162306a36Sopenharmony_ci if (!restriction) 3262306a36Sopenharmony_ci panic("Can't allocate IMA blacklist restriction."); 3362306a36Sopenharmony_ci 3462306a36Sopenharmony_ci restriction->check = restrict_link_by_builtin_trusted; 3562306a36Sopenharmony_ci 3662306a36Sopenharmony_ci ima_blacklist_keyring = keyring_alloc(".ima_blacklist", 3762306a36Sopenharmony_ci KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 3862306a36Sopenharmony_ci (KEY_POS_ALL & ~KEY_POS_SETATTR) | 3962306a36Sopenharmony_ci KEY_USR_VIEW | KEY_USR_READ | 4062306a36Sopenharmony_ci KEY_USR_WRITE | KEY_USR_SEARCH, 4162306a36Sopenharmony_ci KEY_ALLOC_NOT_IN_QUOTA | 4262306a36Sopenharmony_ci KEY_ALLOC_SET_KEEP, 4362306a36Sopenharmony_ci restriction, NULL); 4462306a36Sopenharmony_ci 4562306a36Sopenharmony_ci if (IS_ERR(ima_blacklist_keyring)) 4662306a36Sopenharmony_ci panic("Can't allocate IMA blacklist keyring."); 4762306a36Sopenharmony_ci return 0; 4862306a36Sopenharmony_ci} 4962306a36Sopenharmony_cidevice_initcall(ima_mok_init); 50