diff mbox series

[RFC,v3,09/13] clavis: Allow user to define acl at build time

Message ID 20241017155516.2582369-10-eric.snowberg@oracle.com (mailing list archive)
State New
Headers show
Series Clavis LSM | expand

Commit Message

Eric Snowberg Oct. 17, 2024, 3:55 p.m. UTC
Add a new Kconfig called Security_CLAVIS_ACL_LIST. If set, this option
should be the file name of a list of clavis ACL entries. This will be
included into a C wrapper to incorporate the acl list into the kernel.
The file contents must be in the following format: <two digit key usage
number>:<subject key id>. If more than one entry is added, add a carriage
return after each entry.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 security/clavis/.gitignore           |  1 +
 security/clavis/Kconfig              | 10 ++++++++++
 security/clavis/Makefile             | 16 ++++++++++++++++
 security/clavis/clavis.h             |  2 ++
 security/clavis/clavis_builtin_acl.c |  7 +++++++
 security/clavis/clavis_keyring.c     |  1 +
 6 files changed, 37 insertions(+)
 create mode 100644 security/clavis/.gitignore
 create mode 100644 security/clavis/clavis_builtin_acl.c
diff mbox series

Patch

diff --git a/security/clavis/.gitignore b/security/clavis/.gitignore
new file mode 100644
index 000000000000..c1b60bee049e
--- /dev/null
+++ b/security/clavis/.gitignore
@@ -0,0 +1 @@ 
+/builtin_acl
diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig
index 04f7565f2e2b..b702311ec905 100644
--- a/security/clavis/Kconfig
+++ b/security/clavis/Kconfig
@@ -9,3 +9,13 @@  config SECURITY_CLAVIS
 	  keyrings (builtin, secondary, or platform).  One way to add this key
 	  is during boot by passing in the asymmetric key id within the "clavis=" boot
 	  param.  This keyring is required by the Clavis LSM.
+
+config SECURITY_CLAVIS_ACL_LIST
+	string "Clavis ACL list to preload into the clavis keyring"
+	depends on SECURITY_CLAVIS
+	help
+	  If set, this option should be the file name of a list of clavis ACL
+	  entries. This will be included into a C wrapper to incorporate the
+	  acl list into the kernel. The file contents must be in the following
+	  format: <two digit key usage number>:<subject key id>.  If more than
+	  one entry is added, add a carriage return after each entry.
diff --git a/security/clavis/Makefile b/security/clavis/Makefile
index a3430dd6bdf9..082e6d3c0934 100644
--- a/security/clavis/Makefile
+++ b/security/clavis/Makefile
@@ -2,3 +2,19 @@ 
 
 obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o
 obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o
+obj-$(CONFIG_SECURITY_CLAVIS) += clavis_builtin_acl.o
+
+ifeq ($(CONFIG_SECURITY_CLAVIS_ACL_LIST),)
+quiet_cmd_make_builtin_acl = GEN     $@
+      cmd_make_builtin_acl = \
+	echo > $@
+else
+quiet_cmd_make_builtin_acl = GEN     $@
+      cmd_make_builtin_acl = \
+	sed 's/^[ \t]*//; s/.*/"&",/' $< | tr '[:upper:]' '[:lower:]' > $@
+endif
+
+$(obj)/builtin_acl: $(CONFIG_SECURITY_CLAVIS_ACL_LIST) FORCE
+	$(call if_changed,make_builtin_acl)
+
+$(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl
diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h
index b77e4ec8edbe..7099a517b111 100644
--- a/security/clavis/clavis.h
+++ b/security/clavis/clavis.h
@@ -14,6 +14,8 @@  struct asymmetric_setup_kid {
 	unsigned char data[CLAVIS_BIN_KID_MAX];
 };
 
+extern const char __initconst *const clavis_builtin_acl_list[];
+
 #ifndef CONFIG_SYSTEM_TRUSTED_KEYRING
 const char __initconst *const clavis_module_acl[] = {
 	 NULL
diff --git a/security/clavis/clavis_builtin_acl.c b/security/clavis/clavis_builtin_acl.c
new file mode 100644
index 000000000000..c98b6df05413
--- /dev/null
+++ b/security/clavis/clavis_builtin_acl.c
@@ -0,0 +1,7 @@ 
+// SPDX-License-Identifier: GPL-2.0
+#include "clavis.h"
+
+const char __initconst *const clavis_builtin_acl_list[] = {
+#include "builtin_acl"
+	NULL
+};
diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c
index 1e1fbb54f6be..a4a95a931b50 100644
--- a/security/clavis/clavis_keyring.c
+++ b/security/clavis/clavis_keyring.c
@@ -300,6 +300,7 @@  int __init clavis_keyring_init(void)
 		panic("Can't allocate clavis keyring\n");
 
 	clavis_add_acl(clavis_module_acl, clavis_keyring);
+	clavis_add_acl(clavis_builtin_acl_list, clavis_keyring);
 
 	return 0;
 }