[PATCH v2 0/7] ima: measuring/appraising files read by the kernel

[Mimi Zohar]

This patch set closes a number of measurement/appraisal gaps by defining
a generic function named ima_hash_and_process_file() for measuring and
appraising files read by the kernel (eg. kexec image and initramfs,
firmware, IMA policy).

To differentiate between callers of ima_hash_and_process_file() in the
IMA policy, a new enumeration is defined named ima_read_hooks, which
initially includes KEXEC_CHECK, INITRAMFS_CHECK, FIRMWARE_CHECK, and
POLICY_CHECK.

Changelog v2:
- Calculate the file hash from an in memory buffer (suggested by Dave Young)
- Rename ima_read_and_process_file() to ima_hash_and_process_file() to
reflect doing a buffer hash.
- 
Changelog v1:
- Instead of ima_read_and_process_file() allocating memory, the caller
allocates and frees the memory.
- Moved the kexec measurement/appraisal call to copy_file_from_fd(). The
same call now measures and appraises both the kexec image and initramfs.

Mimi

Dmitry Kasatkin (3):
  ima: separate 'security.ima' reading functionality from collect
  ima: load policy using path
  ima: provide buffer hash calculation function

Mimi Zohar (4):
  ima: measure and appraise kexec image and initramfs
  ima: measure and appraise firmware (improvement)
  ima: measure and appraise the IMA policy itself
  ima: require signed IMA policy

 Documentation/ABI/testing/ima_policy      |  2 +-
 drivers/base/firmware_class.c             |  5 +++
 include/linux/ima.h                       | 18 ++++++++
 kernel/kexec_file.c                       | 24 ++++++----
 security/integrity/digsig.c               |  2 +-
 security/integrity/iint.c                 | 17 ++++---
 security/integrity/ima/ima.h              | 36 +++++++++------
 security/integrity/ima/ima_api.c          | 19 +++-----
 security/integrity/ima/ima_appraise.c     | 38 ++++++++--------
 security/integrity/ima/ima_crypto.c       | 13 ++++--
 security/integrity/ima/ima_fs.c           | 45 ++++++++++++++++++-
 security/integrity/ima/ima_init.c         |  2 +-
 security/integrity/ima/ima_main.c         | 50 ++++++++++++++++-----
 security/integrity/ima/ima_policy.c       | 73 +++++++++++++++++++++++--------
 security/integrity/ima/ima_template.c     |  2 -
 security/integrity/ima/ima_template_lib.c |  1 -
 security/integrity/integrity.h            | 14 +++---
 17 files changed, 255 insertions(+), 106 deletions(-)

-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html