KEYS: Use structure to capture key restriction function and data
Replace struct key's restrict_link function pointer with a pointer to
the new struct key_restriction. The structure contains pointers to the
restriction function as well as relevant data for evaluating the
restriction.
The garbage collector checks restrict_link->keytype when key types are
unregistered. Restrictions involving a removed key type are converted
to use restrict_link_reject so that restrictions cannot be removed by
unregistering key types.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index e39cce6..6251d1b 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -14,6 +14,7 @@
#include <linux/sched.h>
#include <linux/cred.h>
#include <linux/err.h>
+#include <linux/slab.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include <crypto/pkcs7.h>
@@ -68,6 +69,24 @@
return restrict_link_by_signature(dest_keyring, type, payload,
secondary_trusted_keys);
}
+
+/**
+ * Allocate a struct key_restriction for the "builtin and secondary trust"
+ * keyring. Only for use in system_trusted_keyring_init().
+ */
+static __init struct key_restriction *get_builtin_and_secondary_restriction(void)
+{
+ struct key_restriction *restriction;
+
+ restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
+
+ if (!restriction)
+ panic("Can't allocate secondary trusted keyring restriction\n");
+
+ restriction->check = restrict_link_by_builtin_and_secondary_trusted;
+
+ return restriction;
+}
#endif
/*
@@ -95,7 +114,7 @@
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
KEY_USR_WRITE),
KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link_by_builtin_and_secondary_trusted,
+ get_builtin_and_secondary_restriction(),
NULL);
if (IS_ERR(secondary_trusted_keys))
panic("Can't allocate secondary trusted keyring\n");