Hi everyone currently accepted patches for the new template management mechanism allow to choose among a list of supported templates, statically defined in the code. This functionality is not flexible enough as users may want to include in their measurements list only information needed and not use predefined combinations.
For this reason, this patch set introduce the new kernel command line parameter
'ima_template_fmt' to specify a custom template format at boot time,
i.e. a string of template fields identifiers concatenated with the '|'
separator character. The complete list of defined template fields can be
found in Documentation/security/IMA-templates.txt.
The format string is checked at the very beginning in the setup function
ima_template_fmt_setup() so that, if it is wrong, IMA can go back to the
default template, selected through a kernel configuration option.
To allow userspace tools parse a measurements list with a custom format, IMA
provides as template name the same format string provided by users at boot
time, so that tools know which information are included in a entry and extract
them if they can handle listed template fields.
Roberto Sassu
Roberto Sassu (4):
ima: added error messages to template-related functions
ima: make a copy of template_fmt in template_desc_init_fields()
ima: display template format in meas. list if template name length is
zero
ima: added support for new kernel cmdline parameter ima_template_fmt
Documentation/kernel-parameters.txt | 4 ++
Documentation/security/IMA-templates.txt | 29 +++++++------
security/integrity/ima/ima_fs.c | 18 ++++++--
security/integrity/ima/ima_template.c | 71 ++++++++++++++++++++++++++++++--
4 files changed, 100 insertions(+), 22 deletions(-)
--
1.8.1.4
smime.p7s
Description: S/MIME cryptographic signature
