[PATCH RFC 04/12] integrity: add integrity_destroy_keyring

Eric Snowberg eric.snowberg at oracle.com
Wed Jul 7 02:43:55 UTC 2021


Not all kernel keyrings need to survive past boot. Add a destroy
function to remove a keyring no longer needed.

Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
---
 security/integrity/digsig.c    | 8 ++++++++
 security/integrity/integrity.h | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 3b06a01bd0fd..a8436c6b93ec 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -145,6 +145,14 @@ int __init integrity_init_keyring(const unsigned int id)
 	return __integrity_init_keyring(id, perm, restriction);
 }
 
+void __init integrity_destroy_keyring(const unsigned int id)
+{
+	if (id >= INTEGRITY_KEYRING_MAX)
+		return;
+	key_put(keyring[id]);
+	keyring[id] = NULL;
+}
+
 static int __init integrity_add_key(const unsigned int id, const void *data,
 				    off_t size, key_perm_t perm)
 {
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11..f801b2076f01 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -164,6 +164,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
 
 int __init integrity_init_keyring(const unsigned int id);
+void __init integrity_destroy_keyring(const unsigned int id);
 int __init integrity_load_x509(const unsigned int id, const char *path);
 int __init integrity_load_cert(const unsigned int id, const char *source,
 			       const void *data, size_t len, key_perm_t perm);
@@ -187,6 +188,10 @@ static inline int integrity_init_keyring(const unsigned int id)
 	return 0;
 }
 
+static inline void __init integrity_destroy_keyring(const unsigned int id)
+{
+}
+
 static inline int __init integrity_load_cert(const unsigned int id,
 					     const char *source,
 					     const void *data, size_t len,
-- 
2.18.4



More information about the Linux-security-module-archive mailing list