Difference since v4 of the patches: - comments cleanup and a bug fix (IMA_FS_BUSY) for 1) - code cleanup and a bug fix (Opt_fsuuid) for 3)
This patch-set consists of three separate patches that do the following: 1) Allows multiple writes to the IMA policy. This is considered useful to do in a long lived systems with multiple tenants and where reboots are not recommended. The new IMA rules are appended to the existing ones, effectively forming a queue. The code also replaces the mutexes with RCU read locks. 2) Adds two more system keyrings - .ima_mok, which is used to create a simple CA hierarchy for the trusted IMA keyring and .ima_blacklist, which keeps all revoked IMA keys. When the IMA_TRUSTED_KEYRING is enabled it is impossible to import a key into .ima if it has not been signed by a key in either .system or .ima_mok keyrings. Before performing signature checks .ima_blacklist is consulted first and if an offending key is found the requested operation is rejected. 3) When developing and debugging an IMA enabled system it is often useful to be able to read the IMA policy. This patch allows for doing so. However, being able to read the IMA policy is considered insecure and is strongly discouraged for production-grade kernels. Petko Manolov (3): IMA policy can now be updated multiple times. Create IMA machine owner and blacklist keyrings; Allows reading back the current IMA policy; crypto/asymmetric_keys/x509_public_key.c | 2 + include/keys/system_keyring.h | 24 +++ security/integrity/digsig_asymmetric.c | 14 ++ security/integrity/ima/Kconfig | 40 +++++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 13 +- security/integrity/ima/ima_fs.c | 42 ++++- security/integrity/ima/ima_mok.c | 54 ++++++ security/integrity/ima/ima_policy.c | 282 +++++++++++++++++++++++++++---- 9 files changed, 436 insertions(+), 36 deletions(-) create mode 100644 security/integrity/ima/ima_mok.c -- 2.6.1 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html