diff options
Diffstat (limited to 'security/integrity/ima/ima_mok.c')
| -rw-r--r-- | security/integrity/ima/ima_mok.c | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c new file mode 100644 index 000000000..95cc31525 --- /dev/null +++ b/security/integrity/ima/ima_mok.c @@ -0,0 +1,49 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Copyright (C) 2015 Juniper Networks, Inc. + * + * Author: + * Petko Manolov <petko.manolov@konsulko.com> + */ + +#include <linux/export.h> +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/cred.h> +#include <linux/err.h> +#include <linux/init.h> +#include <linux/slab.h> +#include <keys/system_keyring.h> + + +struct key *ima_blacklist_keyring; + +/* + * Allocate the IMA blacklist keyring + */ +static __init int ima_mok_init(void) +{ + struct key_restriction *restriction; + + pr_notice("Allocating IMA blacklist keyring.\n"); + + restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); + if (!restriction) + panic("Can't allocate IMA blacklist restriction."); + + restriction->check = restrict_link_by_builtin_trusted; + + ima_blacklist_keyring = keyring_alloc(".ima_blacklist", + KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ | + KEY_USR_WRITE | KEY_USR_SEARCH, + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_SET_KEEP, + restriction, NULL); + + if (IS_ERR(ima_blacklist_keyring)) + panic("Can't allocate IMA blacklist keyring."); + return 0; +} +device_initcall(ima_mok_init); |