certs/blacklist.c

Source file repositories/reference/linux-study-clean/certs/blacklist.c

File Facts

System
Linux kernel
Corpus path
certs/blacklist.c
Extension
.c
Size
9720 bytes
Lines
377
Domain
Core OS
Bucket
Core Kernel Interface
Inferred role
Core OS: exported/initcall integration point
Status
integration implementation candidate

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

* device_initcall().  As a result if the blacklist_init() function fails for
 * any reason the kernel continues to execute.  While cleanly returning -ENODEV
 * could be acceptable for some non-critical kernel parts, if the blacklist
 * keyring fails to load it defeats the certificate/key based deny list for
 * signed modules.  If a critical piece of security functionality that users
 * expect to be present fails to initialize, panic()ing is likely the right
 * thing to do.
 */
static int __init blacklist_init(void)
{
	const char *const *bl;
	struct key_restriction *restriction;

	if (register_key_type(&key_type_blacklist) < 0)
		panic("Can't allocate system blacklist key type\n");

	restriction = kzalloc_obj(*restriction);
	if (!restriction)
		panic("Can't allocate blacklist keyring restriction\n");
	restriction->check = restrict_link_for_blacklist;

	blacklist_keyring =
		keyring_alloc(".blacklist",
			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
			      KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH |
			      KEY_POS_WRITE |
			      KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH
#ifdef CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE
			      | KEY_USR_WRITE
#endif
			      , KEY_ALLOC_NOT_IN_QUOTA |
			      KEY_ALLOC_SET_KEEP,
			      restriction, NULL);
	if (IS_ERR(blacklist_keyring))
		panic("Can't allocate system blacklist keyring\n");

	for (bl = blacklist_hashes; *bl; bl++)
		if (mark_raw_hash_blacklisted(*bl) < 0)
			pr_err("- blacklisting failed\n");
	return 0;
}

/*
 * Must be initialised before we try and load the keys into the keyring.
 */
device_initcall(blacklist_init);

#ifdef CONFIG_SYSTEM_REVOCATION_LIST
/*
 * Load the compiled-in list of revocation X.509 certificates.
 */
static __init int load_revocation_certificate_list(void)
{
	if (revocation_certificate_list_size)
		pr_notice("Loading compiled-in revocation X.509 certificates\n");

	return x509_load_certificate_list(revocation_certificate_list,
					  revocation_certificate_list_size,
					  blacklist_keyring);
}
late_initcall(load_revocation_certificate_list);
#endif

Annotation

Implementation Notes