certs/blacklist.c
Source file repositories/reference/linux-study-clean/certs/blacklist.c
File Facts
- System
- Linux kernel
- Corpus path
certs/blacklist.c- Extension
.c- Size
- 9720 bytes
- Lines
- 377
- Domain
- Core OS
- Bucket
- Core Kernel Interface
- Inferred role
- Core OS: exported/initcall integration point
- Status
- integration implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Exports symbols or registers init work; inspect boot/module ordering and who consumes the exported contract.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/module.hlinux/slab.hlinux/key.hlinux/key-type.hlinux/sched.hlinux/ctype.hlinux/err.hlinux/hex.hlinux/seq_file.hlinux/uidgid.hkeys/asymmetric-type.hkeys/system_keyring.hblacklist.h
Detected Declarations
function blacklist_vet_descriptionfunction blacklist_key_instantiatefunction blacklist_key_updatefunction blacklist_describefunction mark_raw_hash_blacklistedfunction mark_hash_blacklistedfunction is_hash_blacklistedfunction is_binary_blacklistedfunction add_key_to_revocation_listfunction is_key_on_revocation_listfunction restrict_link_for_blacklistfunction blacklist_initfunction load_revocation_certificate_listmodule init blacklist_initexport is_hash_blacklistedexport is_binary_blacklisted
Annotated Snippet
* device_initcall(). As a result if the blacklist_init() function fails for
* any reason the kernel continues to execute. While cleanly returning -ENODEV
* could be acceptable for some non-critical kernel parts, if the blacklist
* keyring fails to load it defeats the certificate/key based deny list for
* signed modules. If a critical piece of security functionality that users
* expect to be present fails to initialize, panic()ing is likely the right
* thing to do.
*/
static int __init blacklist_init(void)
{
const char *const *bl;
struct key_restriction *restriction;
if (register_key_type(&key_type_blacklist) < 0)
panic("Can't allocate system blacklist key type\n");
restriction = kzalloc_obj(*restriction);
if (!restriction)
panic("Can't allocate blacklist keyring restriction\n");
restriction->check = restrict_link_for_blacklist;
blacklist_keyring =
keyring_alloc(".blacklist",
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH |
KEY_POS_WRITE |
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH
#ifdef CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE
| KEY_USR_WRITE
#endif
, KEY_ALLOC_NOT_IN_QUOTA |
KEY_ALLOC_SET_KEEP,
restriction, NULL);
if (IS_ERR(blacklist_keyring))
panic("Can't allocate system blacklist keyring\n");
for (bl = blacklist_hashes; *bl; bl++)
if (mark_raw_hash_blacklisted(*bl) < 0)
pr_err("- blacklisting failed\n");
return 0;
}
/*
* Must be initialised before we try and load the keys into the keyring.
*/
device_initcall(blacklist_init);
#ifdef CONFIG_SYSTEM_REVOCATION_LIST
/*
* Load the compiled-in list of revocation X.509 certificates.
*/
static __init int load_revocation_certificate_list(void)
{
if (revocation_certificate_list_size)
pr_notice("Loading compiled-in revocation X.509 certificates\n");
return x509_load_certificate_list(revocation_certificate_list,
revocation_certificate_list_size,
blacklist_keyring);
}
late_initcall(load_revocation_certificate_list);
#endif
Annotation
- Immediate include surface: `linux/module.h`, `linux/slab.h`, `linux/key.h`, `linux/key-type.h`, `linux/sched.h`, `linux/ctype.h`, `linux/err.h`, `linux/hex.h`.
- Detected declarations: `function blacklist_vet_description`, `function blacklist_key_instantiate`, `function blacklist_key_update`, `function blacklist_describe`, `function mark_raw_hash_blacklisted`, `function mark_hash_blacklisted`, `function is_hash_blacklisted`, `function is_binary_blacklisted`, `function add_key_to_revocation_list`, `function is_key_on_revocation_list`.
- Atlas domain: Core OS / Core Kernel Interface.
- Implementation status: integration implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.