This patch set closes a number of measurement/appraisal gaps by defining a generic function named ima_read_and_process_file() for measuring and appraising files read by the kernel (eg. kexec image and initramfs, firmware, IMA policy).
To differentiate between callers of ima_read_and_process_file() in the IMA policy, a new enumeration is defined named ima_read_hooks, which initially includes KEXEC_CHECK, INITRAMFS_CHECK, FIRMWARE_CHECK, and POLICY_CHECK. Changelog v1: - Instead of ima_read_and_process_file() allocating memory, the caller allocates and frees the memory. - Moved the kexec measurement/appraisal call to copy_file_from_fd(). The same call now measures and appraises both the kexec image and initramfs. - Support for measuring and appraising the IMA policy. - Restored the original IMA firmware hook to detect loading unsigned firmware. Mimi Dmitry Kasatkin (2): ima: separate 'security.ima' reading functionality from collect ima: load policy using path Mimi Zohar (5): ima: update appraise flags after policy update completes ima: measure and appraise kexec image and initramfs ima: measure and appraise firmware (improvement) ima: measure and appraise the IMA policy itself ima: require signed IMA policy Documentation/ABI/testing/ima_policy | 2 +- drivers/base/firmware_class.c | 15 +++++-- include/linux/ima.h | 12 +++++ kernel/kexec_file.c | 28 +++++++----- security/integrity/digsig.c | 2 +- security/integrity/iint.c | 24 +++++++--- security/integrity/ima/ima.h | 24 +++++----- security/integrity/ima/ima_api.c | 51 +++++++++++++++------ security/integrity/ima/ima_appraise.c | 40 +++++++++++------ security/integrity/ima/ima_crypto.c | 56 ++++++++++++++++-------- security/integrity/ima/ima_fs.c | 45 ++++++++++++++++++- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 55 ++++++++++++++++++----- security/integrity/ima/ima_policy.c | 73 ++++++++++++++++++++++++------- security/integrity/ima/ima_template.c | 2 - security/integrity/ima/ima_template_lib.c | 3 +- security/integrity/integrity.h | 14 +++--- 17 files changed, 329 insertions(+), 119 deletions(-) -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html