xref: /openbmc/linux/security/integrity/ima/ima_mok.c (revision 151f4e2b)
1 /*
2  * Copyright (C) 2015 Juniper Networks, Inc.
3  *
4  * Author:
5  * Petko Manolov <petko.manolov@konsulko.com>
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License as
9  * published by the Free Software Foundation, version 2 of the
10  * License.
11  *
12  */
13 
14 #include <linux/export.h>
15 #include <linux/kernel.h>
16 #include <linux/sched.h>
17 #include <linux/cred.h>
18 #include <linux/err.h>
19 #include <linux/init.h>
20 #include <linux/slab.h>
21 #include <keys/system_keyring.h>
22 
23 
24 struct key *ima_blacklist_keyring;
25 
26 /*
27  * Allocate the IMA blacklist keyring
28  */
29 __init int ima_mok_init(void)
30 {
31 	struct key_restriction *restriction;
32 
33 	pr_notice("Allocating IMA blacklist keyring.\n");
34 
35 	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
36 	if (!restriction)
37 		panic("Can't allocate IMA blacklist restriction.");
38 
39 	restriction->check = restrict_link_by_builtin_trusted;
40 
41 	ima_blacklist_keyring = keyring_alloc(".ima_blacklist",
42 				KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
43 				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
44 				KEY_USR_VIEW | KEY_USR_READ |
45 				KEY_USR_WRITE | KEY_USR_SEARCH,
46 				KEY_ALLOC_NOT_IN_QUOTA,
47 				restriction, NULL);
48 
49 	if (IS_ERR(ima_blacklist_keyring))
50 		panic("Can't allocate IMA blacklist keyring.");
51 
52 	set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags);
53 	return 0;
54 }
55 device_initcall(ima_mok_init);
56