Difference since v5 of the patches: - better description of patch #3; - added missing IMA_DIGSIG_REQUIRED & IMA_PERMIT_DIRECTIO flags;
This patch-set consists of three separate patches that do the following: 1) Allows multiple writes to the IMA policy. This is considered useful to do in a long lived systems with multiple tenants and where reboots are not recommended. The new IMA rules are appended to the existing ones, effectively forming a queue. The code also replaces the mutexes with RCU read locks. 2) Adds two more system keyrings - .ima_mok, which is used to create a simple CA hierarchy for the trusted IMA keyring and .ima_blacklist, which keeps all revoked IMA keys. When the IMA_TRUSTED_KEYRING is enabled it is impossible to import a key into .ima if it has not been signed by a key in either .system or .ima_mok keyrings. Before performing signature checks .ima_blacklist is consulted first and if an offending key is found the requested operation is rejected. 3) Allows reading back the current IMA policy.It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Petko Manolov (3): IMA policy can now be updated multiple times. Create IMA machine owner and blacklist keyrings; Allows reading back the current IMA policy. crypto/asymmetric_keys/x509_public_key.c | 2 + include/keys/system_keyring.h | 24 +++ security/integrity/digsig_asymmetric.c | 14 ++ security/integrity/ima/Kconfig | 39 +++++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 15 +- security/integrity/ima/ima_fs.c | 42 ++++- security/integrity/ima/ima_mok.c | 54 ++++++ security/integrity/ima/ima_policy.c | 286 +++++++++++++++++++++++++++---- 9 files changed, 441 insertions(+), 36 deletions(-) create mode 100644 security/integrity/ima/ima_mok.c -- 2.6.2 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html