1 /* 2 * Copyright (C) 2015 Juniper Networks, Inc. 3 * 4 * Author: 5 * Petko Manolov <petko.manolov@konsulko.com> 6 * 7 * This program is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU General Public License as 9 * published by the Free Software Foundation, version 2 of the 10 * License. 11 * 12 */ 13 14 #include <linux/export.h> 15 #include <linux/kernel.h> 16 #include <linux/sched.h> 17 #include <linux/cred.h> 18 #include <linux/err.h> 19 #include <linux/init.h> 20 #include <linux/slab.h> 21 #include <keys/system_keyring.h> 22 23 24 struct key *ima_blacklist_keyring; 25 26 /* 27 * Allocate the IMA blacklist keyring 28 */ 29 __init int ima_mok_init(void) 30 { 31 struct key_restriction *restriction; 32 33 pr_notice("Allocating IMA blacklist keyring.\n"); 34 35 restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 36 if (!restriction) 37 panic("Can't allocate IMA blacklist restriction."); 38 39 restriction->check = restrict_link_by_builtin_trusted; 40 41 ima_blacklist_keyring = keyring_alloc(".ima_blacklist", 42 KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 43 (KEY_POS_ALL & ~KEY_POS_SETATTR) | 44 KEY_USR_VIEW | KEY_USR_READ | 45 KEY_USR_WRITE | KEY_USR_SEARCH, 46 KEY_ALLOC_NOT_IN_QUOTA, 47 restriction, NULL); 48 49 if (IS_ERR(ima_blacklist_keyring)) 50 panic("Can't allocate IMA blacklist keyring."); 51 52 set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags); 53 return 0; 54 } 55 device_initcall(ima_mok_init); 56