Not all kernel keyrings need to survive past boot. Add a destroy
function to remove a keyring no longer needed.
Signed-off-by: Eric Snowberg <[email protected]>
---
security/integrity/digsig.c | 8 ++++++++
security/integrity/integrity.h | 5 +++++
2 files changed, 13 insertions(+)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 3b06a01bd0fd..a8436c6b93ec 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -145,6 +145,14 @@ int __init integrity_init_keyring(const unsigned int id)
return __integrity_init_keyring(id, perm, restriction);
}
+void __init integrity_destroy_keyring(const unsigned int id)
+{
+ if (id >= INTEGRITY_KEYRING_MAX)
+ return;
+ key_put(keyring[id]);
+ keyring[id] = NULL;
+}
+
static int __init integrity_add_key(const unsigned int id, const void *data,
off_t size, key_perm_t perm)
{
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11..f801b2076f01 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -164,6 +164,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
int __init integrity_init_keyring(const unsigned int id);
+void __init integrity_destroy_keyring(const unsigned int id);
int __init integrity_load_x509(const unsigned int id, const char *path);
int __init integrity_load_cert(const unsigned int id, const char *source,
const void *data, size_t len, key_perm_t perm);
@@ -187,6 +188,10 @@ static inline int integrity_init_keyring(const unsigned int id)
return 0;
}
+static inline void __init integrity_destroy_keyring(const unsigned int id)
+{
+}
+
static inline int __init integrity_load_cert(const unsigned int id,
const char *source,
const void *data, size_t len,
--
2.18.4