diff options
| author | Mat Martineau <mathew.j.martineau@linux.intel.com> | 2016-08-31 19:05:43 -0400 |
|---|---|---|
| committer | Mat Martineau <mathew.j.martineau@linux.intel.com> | 2017-04-04 17:10:10 -0400 |
| commit | 2b6aa412ff23a02ac777ad307249c60a839cfd25 (patch) | |
| tree | 317dced64727a10b3ce09ca84ac8e153c7dabf77 /certs | |
| parent | e9cc0f689a7c0c9be6fed6861b3a3f49ad0e7a52 (diff) | |
KEYS: Use structure to capture key restriction function and data
Replace struct key's restrict_link function pointer with a pointer to
the new struct key_restriction. The structure contains pointers to the
restriction function as well as relevant data for evaluating the
restriction.
The garbage collector checks restrict_link->keytype when key types are
unregistered. Restrictions involving a removed key type are converted
to use restrict_link_reject so that restrictions cannot be removed by
unregistering key types.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Diffstat (limited to 'certs')
| -rw-r--r-- | certs/system_keyring.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index e39cce68dcfa..6251d1b27f0c 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c | |||
| @@ -14,6 +14,7 @@ | |||
| 14 | #include <linux/sched.h> | 14 | #include <linux/sched.h> |
| 15 | #include <linux/cred.h> | 15 | #include <linux/cred.h> |
| 16 | #include <linux/err.h> | 16 | #include <linux/err.h> |
| 17 | #include <linux/slab.h> | ||
| 17 | #include <keys/asymmetric-type.h> | 18 | #include <keys/asymmetric-type.h> |
| 18 | #include <keys/system_keyring.h> | 19 | #include <keys/system_keyring.h> |
| 19 | #include <crypto/pkcs7.h> | 20 | #include <crypto/pkcs7.h> |
| @@ -68,6 +69,24 @@ int restrict_link_by_builtin_and_secondary_trusted( | |||
| 68 | return restrict_link_by_signature(dest_keyring, type, payload, | 69 | return restrict_link_by_signature(dest_keyring, type, payload, |
| 69 | secondary_trusted_keys); | 70 | secondary_trusted_keys); |
| 70 | } | 71 | } |
| 72 | |||
| 73 | /** | ||
| 74 | * Allocate a struct key_restriction for the "builtin and secondary trust" | ||
| 75 | * keyring. Only for use in system_trusted_keyring_init(). | ||
| 76 | */ | ||
| 77 | static __init struct key_restriction *get_builtin_and_secondary_restriction(void) | ||
| 78 | { | ||
| 79 | struct key_restriction *restriction; | ||
| 80 | |||
| 81 | restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); | ||
| 82 | |||
| 83 | if (!restriction) | ||
| 84 | panic("Can't allocate secondary trusted keyring restriction\n"); | ||
| 85 | |||
| 86 | restriction->check = restrict_link_by_builtin_and_secondary_trusted; | ||
| 87 | |||
| 88 | return restriction; | ||
| 89 | } | ||
| 71 | #endif | 90 | #endif |
| 72 | 91 | ||
| 73 | /* | 92 | /* |
| @@ -95,7 +114,7 @@ static __init int system_trusted_keyring_init(void) | |||
| 95 | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH | | 114 | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH | |
| 96 | KEY_USR_WRITE), | 115 | KEY_USR_WRITE), |
| 97 | KEY_ALLOC_NOT_IN_QUOTA, | 116 | KEY_ALLOC_NOT_IN_QUOTA, |
| 98 | restrict_link_by_builtin_and_secondary_trusted, | 117 | get_builtin_and_secondary_restriction(), |
| 99 | NULL); | 118 | NULL); |
| 100 | if (IS_ERR(secondary_trusted_keys)) | 119 | if (IS_ERR(secondary_trusted_keys)) |
| 101 | panic("Can't allocate secondary trusted keyring\n"); | 120 | panic("Can't allocate secondary trusted keyring\n"); |