141c89b64SPetko Manolov /* 241c89b64SPetko Manolov * Copyright (C) 2015 Juniper Networks, Inc. 341c89b64SPetko Manolov * 441c89b64SPetko Manolov * Author: 541c89b64SPetko Manolov * Petko Manolov <petko.manolov@konsulko.com> 641c89b64SPetko Manolov * 741c89b64SPetko Manolov * This program is free software; you can redistribute it and/or 841c89b64SPetko Manolov * modify it under the terms of the GNU General Public License as 941c89b64SPetko Manolov * published by the Free Software Foundation, version 2 of the 1041c89b64SPetko Manolov * License. 1141c89b64SPetko Manolov * 1241c89b64SPetko Manolov */ 1341c89b64SPetko Manolov 1441c89b64SPetko Manolov #include <linux/export.h> 1541c89b64SPetko Manolov #include <linux/kernel.h> 1641c89b64SPetko Manolov #include <linux/sched.h> 1741c89b64SPetko Manolov #include <linux/cred.h> 1841c89b64SPetko Manolov #include <linux/err.h> 1992cc9166SPaul Gortmaker #include <linux/init.h> 202b6aa412SMat Martineau #include <linux/slab.h> 21a511e1afSDavid Howells #include <keys/system_keyring.h> 2241c89b64SPetko Manolov 2341c89b64SPetko Manolov 2441c89b64SPetko Manolov struct key *ima_blacklist_keyring; 2541c89b64SPetko Manolov 2641c89b64SPetko Manolov /* 2756104cf2SDavid Howells * Allocate the IMA blacklist keyring 2841c89b64SPetko Manolov */ 2941c89b64SPetko Manolov __init int ima_mok_init(void) 3041c89b64SPetko Manolov { 312b6aa412SMat Martineau struct key_restriction *restriction; 322b6aa412SMat Martineau 3356104cf2SDavid Howells pr_notice("Allocating IMA blacklist keyring.\n"); 3441c89b64SPetko Manolov 352b6aa412SMat Martineau restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 362b6aa412SMat Martineau if (!restriction) 372b6aa412SMat Martineau panic("Can't allocate IMA blacklist restriction."); 382b6aa412SMat Martineau 392b6aa412SMat Martineau restriction->check = restrict_link_by_builtin_trusted; 402b6aa412SMat Martineau 4141c89b64SPetko Manolov ima_blacklist_keyring = keyring_alloc(".ima_blacklist", 4241c89b64SPetko Manolov KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 4341c89b64SPetko Manolov (KEY_POS_ALL & ~KEY_POS_SETATTR) | 4441c89b64SPetko Manolov KEY_USR_VIEW | KEY_USR_READ | 4541c89b64SPetko Manolov KEY_USR_WRITE | KEY_USR_SEARCH, 465ac7eaceSDavid Howells KEY_ALLOC_NOT_IN_QUOTA, 472b6aa412SMat Martineau restriction, NULL); 4841c89b64SPetko Manolov 4956104cf2SDavid Howells if (IS_ERR(ima_blacklist_keyring)) 5056104cf2SDavid Howells panic("Can't allocate IMA blacklist keyring."); 51501f1bdeSMimi Zohar 52501f1bdeSMimi Zohar set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags); 5341c89b64SPetko Manolov return 0; 5441c89b64SPetko Manolov } 5592cc9166SPaul Gortmaker device_initcall(ima_mok_init); 56