This patch set closes a number of measurement/appraisal gaps by defining a generic function named ima_hash_and_process_file() for measuring and appraising files read by the kernel (eg. kexec image and initramfs, firmware, IMA policy).
To differentiate between callers of ima_hash_and_process_file() in the IMA policy, a new enumeration is defined named ima_read_hooks, which initially includes KEXEC_CHECK, INITRAMFS_CHECK, FIRMWARE_CHECK, and POLICY_CHECK. Changelog v2: - Calculate the file hash from an in memory buffer (suggested by Dave Young) - Rename ima_read_and_process_file() to ima_hash_and_process_file() to reflect doing a buffer hash. - Changelog v1: - Instead of ima_read_and_process_file() allocating memory, the caller allocates and frees the memory. - Moved the kexec measurement/appraisal call to copy_file_from_fd(). The same call now measures and appraises both the kexec image and initramfs. Mimi Dmitry Kasatkin (3): ima: separate 'security.ima' reading functionality from collect ima: load policy using path ima: provide buffer hash calculation function Mimi Zohar (4): ima: measure and appraise kexec image and initramfs ima: measure and appraise firmware (improvement) ima: measure and appraise the IMA policy itself ima: require signed IMA policy Documentation/ABI/testing/ima_policy | 2 +- drivers/base/firmware_class.c | 5 +++ include/linux/ima.h | 18 ++++++++ kernel/kexec_file.c | 24 ++++++---- security/integrity/digsig.c | 2 +- security/integrity/iint.c | 17 ++++--- security/integrity/ima/ima.h | 36 +++++++++------ security/integrity/ima/ima_api.c | 19 +++----- security/integrity/ima/ima_appraise.c | 38 ++++++++-------- security/integrity/ima/ima_crypto.c | 13 ++++-- security/integrity/ima/ima_fs.c | 45 ++++++++++++++++++- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 50 ++++++++++++++++----- security/integrity/ima/ima_policy.c | 73 +++++++++++++++++++++++-------- security/integrity/ima/ima_template.c | 2 - security/integrity/ima/ima_template_lib.c | 1 - security/integrity/integrity.h | 14 +++--- 17 files changed, 255 insertions(+), 106 deletions(-) -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html