On Wed, 2015-12-02 at 17:47 +0200, Petko Manolov wrote: > Difference since v5 of the patches: > > - better description of patch #3; > - added missing IMA_DIGSIG_REQUIRED & IMA_PERMIT_DIRECTIO flags; > > This patch-set consists of three separate patches that do the following: > > 1) Allows multiple writes to the IMA policy. This is considered useful to do > in > a long lived systems with multiple tenants and where reboots are not > recommended. The new IMA rules are appended to the existing ones, effectively > forming a queue. The code also replaces the mutexes with RCU read locks. > > 2) Adds two more system keyrings - .ima_mok, which is used to create a simple > CA > hierarchy for the trusted IMA keyring and .ima_blacklist, which keeps all > revoked IMA keys. When the IMA_TRUSTED_KEYRING is enabled it is impossible to > import a key into .ima if it has not been signed by a key in either .system or > .ima_mok keyrings. Before performing signature checks .ima_blacklist is > consulted first and if an offending key is found the requested operation is > rejected. > > 3) Allows reading back the current IMA policy.It is often useful to be able to > read back the IMA policy. It is even more important after introducing > CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current > policy rules.
Thank you for the patches. I've taken the liberty to prefix the patch names with the subsystem. IMA: allow reading back the current IMA policy IMA: create machine owner and blacklist keyrings IMA: policy can now be updated multiple times The patches are available from: git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git ima-keyrings. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html