The IMA-appraisal extension added local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute 'security.ima'. The initial methods for validating 'security.ima' were hash and digital signature based.
Missing is the ability to specify the validation method required. This patch set addresses this omission, by defining a new policy option 'appraise_type='. As a result of this change, appraisal rules can now be written on a per hook basis, resulting in different appraisal status results. The 'ima_appraise_tcb' policy appraises all files owned by root. A new hook specific rule could specify that all kernel modules, for example, require a digital signature. This patchset defines the 'appraise_type' option and caches the appraisal result on a per hook basis. Changelog v2: - Minor cleanup as described in patch descriptions Mimi Dmitry Kasatkin (1): ima: added policy support for 'security.ima' type Mimi Zohar (3): ima: increase iint flag size ima: per hook cache integrity appraisal status ima: differentiate appraise status only for hook specific rules Documentation/ABI/testing/ima_policy | 4 +- security/integrity/iint.c | 10 ++++- security/integrity/ima/ima.h | 13 +++++- security/integrity/ima/ima_appraise.c | 76 ++++++++++++++++++++++++++++++----- security/integrity/ima/ima_main.c | 25 +++++++----- security/integrity/ima/ima_policy.c | 43 +++++++++++++++++++- security/integrity/integrity.h | 48 +++++++++++++++------- 7 files changed, 181 insertions(+), 38 deletions(-) -- 1.8.1.rc3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
