[PATCH v1 0/7] ima: measuring/appraising files read by the kernel

[Mimi Zohar]

This patch set closes a number of measurement/appraisal gaps by defining
a generic function named ima_read_and_process_file() for measuring and
appraising files read by the kernel (eg. kexec image and initramfs,
firmware, IMA policy).

To differentiate between callers of ima_read_and_process_file() in the
IMA policy, a new enumeration is defined named ima_read_hooks, which
initially includes KEXEC_CHECK, INITRAMFS_CHECK, FIRMWARE_CHECK, and
POLICY_CHECK.

Changelog v1:
- Instead of ima_read_and_process_file() allocating memory, the caller
allocates and frees the memory.
- Moved the kexec measurement/appraisal call to copy_file_from_fd(). The
same call now measures and appraises both the kexec image and initramfs.
- Support for measuring and appraising the IMA policy.
- Restored the original IMA firmware hook to detect loading unsigned firmware.

Mimi

Dmitry Kasatkin (2):
  ima: separate 'security.ima' reading functionality from collect
  ima: load policy using path

Mimi Zohar (5):
  ima: update appraise flags after policy update completes
  ima: measure and appraise kexec image and initramfs
  ima: measure and appraise firmware (improvement)
  ima: measure and appraise the IMA policy itself
  ima: require signed IMA policy

 Documentation/ABI/testing/ima_policy      |  2 +-
 drivers/base/firmware_class.c             | 15 +++++--
 include/linux/ima.h                       | 12 +++++
 kernel/kexec_file.c                       | 28 +++++++-----
 security/integrity/digsig.c               |  2 +-
 security/integrity/iint.c                 | 24 +++++++---
 security/integrity/ima/ima.h              | 24 +++++-----
 security/integrity/ima/ima_api.c          | 51 +++++++++++++++------
 security/integrity/ima/ima_appraise.c     | 40 +++++++++++------
 security/integrity/ima/ima_crypto.c       | 56 ++++++++++++++++--------
 security/integrity/ima/ima_fs.c           | 45 ++++++++++++++++++-
 security/integrity/ima/ima_init.c         |  2 +-
 security/integrity/ima/ima_main.c         | 55 ++++++++++++++++++-----
 security/integrity/ima/ima_policy.c       | 73 ++++++++++++++++++++++++-------
 security/integrity/ima/ima_template.c     |  2 -
 security/integrity/ima/ima_template_lib.c |  3 +-
 security/integrity/integrity.h            | 14 +++---
 17 files changed, 329 insertions(+), 119 deletions(-)

-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html