summaryrefslogtreecommitdiffstats
path: root/certs
diff options
context:
space:
mode:
authorMat Martineau <mathew.j.martineau@linux.intel.com>2016-09-01 01:05:43 +0200
committerMat Martineau <mathew.j.martineau@linux.intel.com>2017-04-04 23:10:10 +0200
commit2b6aa412ff23a02ac777ad307249c60a839cfd25 (patch)
tree317dced64727a10b3ce09ca84ac8e153c7dabf77 /certs
parentKEYS: Add a key restriction struct (diff)
downloadlinux-2b6aa412ff23a02ac777ad307249c60a839cfd25.tar.xz
linux-2b6aa412ff23a02ac777ad307249c60a839cfd25.zip
KEYS: Use structure to capture key restriction function and data
Replace struct key's restrict_link function pointer with a pointer to the new struct key_restriction. The structure contains pointers to the restriction function as well as relevant data for evaluating the restriction. The garbage collector checks restrict_link->keytype when key types are unregistered. Restrictions involving a removed key type are converted to use restrict_link_reject so that restrictions cannot be removed by unregistering key types. Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Diffstat (limited to 'certs')
-rw-r--r--certs/system_keyring.c21
1 files changed, 20 insertions, 1 deletions
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index e39cce68dcfa..6251d1b27f0c 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -14,6 +14,7 @@
#include <linux/sched.h>
#include <linux/cred.h>
#include <linux/err.h>
+#include <linux/slab.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include <crypto/pkcs7.h>
@@ -68,6 +69,24 @@ int restrict_link_by_builtin_and_secondary_trusted(
return restrict_link_by_signature(dest_keyring, type, payload,
secondary_trusted_keys);
}
+
+/**
+ * Allocate a struct key_restriction for the "builtin and secondary trust"
+ * keyring. Only for use in system_trusted_keyring_init().
+ */
+static __init struct key_restriction *get_builtin_and_secondary_restriction(void)
+{
+ struct key_restriction *restriction;
+
+ restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
+
+ if (!restriction)
+ panic("Can't allocate secondary trusted keyring restriction\n");
+
+ restriction->check = restrict_link_by_builtin_and_secondary_trusted;
+
+ return restriction;
+}
#endif
/*
@@ -95,7 +114,7 @@ static __init int system_trusted_keyring_init(void)
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
KEY_USR_WRITE),
KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link_by_builtin_and_secondary_trusted,
+ get_builtin_and_secondary_restriction(),
NULL);
if (IS_ERR(secondary_trusted_keys))
panic("Can't allocate secondary trusted keyring\n");