141c89b64SPetko Manolov /* 241c89b64SPetko Manolov * Copyright (C) 2015 Juniper Networks, Inc. 341c89b64SPetko Manolov * 441c89b64SPetko Manolov * Author: 541c89b64SPetko Manolov * Petko Manolov <petko.manolov@konsulko.com> 641c89b64SPetko Manolov * 741c89b64SPetko Manolov * This program is free software; you can redistribute it and/or 841c89b64SPetko Manolov * modify it under the terms of the GNU General Public License as 941c89b64SPetko Manolov * published by the Free Software Foundation, version 2 of the 1041c89b64SPetko Manolov * License. 1141c89b64SPetko Manolov * 1241c89b64SPetko Manolov */ 1341c89b64SPetko Manolov 1441c89b64SPetko Manolov #include <linux/export.h> 1541c89b64SPetko Manolov #include <linux/kernel.h> 1641c89b64SPetko Manolov #include <linux/sched.h> 1741c89b64SPetko Manolov #include <linux/cred.h> 1841c89b64SPetko Manolov #include <linux/err.h> 1992cc9166SPaul Gortmaker #include <linux/init.h> 20a511e1afSDavid Howells #include <keys/system_keyring.h> 2141c89b64SPetko Manolov 2241c89b64SPetko Manolov 2341c89b64SPetko Manolov struct key *ima_mok_keyring; 2441c89b64SPetko Manolov struct key *ima_blacklist_keyring; 2541c89b64SPetko Manolov 2641c89b64SPetko Manolov /* 2741c89b64SPetko Manolov * Allocate the IMA MOK and blacklist keyrings 2841c89b64SPetko Manolov */ 2941c89b64SPetko Manolov __init int ima_mok_init(void) 3041c89b64SPetko Manolov { 3141c89b64SPetko Manolov pr_notice("Allocating IMA MOK and blacklist keyrings.\n"); 3241c89b64SPetko Manolov 3341c89b64SPetko Manolov ima_mok_keyring = keyring_alloc(".ima_mok", 3441c89b64SPetko Manolov KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 3541c89b64SPetko Manolov (KEY_POS_ALL & ~KEY_POS_SETATTR) | 3641c89b64SPetko Manolov KEY_USR_VIEW | KEY_USR_READ | 3741c89b64SPetko Manolov KEY_USR_WRITE | KEY_USR_SEARCH, 385ac7eaceSDavid Howells KEY_ALLOC_NOT_IN_QUOTA, 39a511e1afSDavid Howells restrict_link_by_builtin_trusted, NULL); 4041c89b64SPetko Manolov 4141c89b64SPetko Manolov ima_blacklist_keyring = keyring_alloc(".ima_blacklist", 4241c89b64SPetko Manolov KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 4341c89b64SPetko Manolov (KEY_POS_ALL & ~KEY_POS_SETATTR) | 4441c89b64SPetko Manolov KEY_USR_VIEW | KEY_USR_READ | 4541c89b64SPetko Manolov KEY_USR_WRITE | KEY_USR_SEARCH, 465ac7eaceSDavid Howells KEY_ALLOC_NOT_IN_QUOTA, 47a511e1afSDavid Howells restrict_link_by_builtin_trusted, NULL); 4841c89b64SPetko Manolov 4941c89b64SPetko Manolov if (IS_ERR(ima_mok_keyring) || IS_ERR(ima_blacklist_keyring)) 5041c89b64SPetko Manolov panic("Can't allocate IMA MOK or blacklist keyrings."); 51501f1bdeSMimi Zohar 52501f1bdeSMimi Zohar set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags); 5341c89b64SPetko Manolov return 0; 5441c89b64SPetko Manolov } 5592cc9166SPaul Gortmaker device_initcall(ima_mok_init); 56