diff options
| author |   Dmitry Kasatkin <dmitry.kasatkin@huawei.com> | 2014-04-11 17:47:01 +0300 |
|---|---|---|
| committer |   Mimi Zohar <zohar@linux.vnet.ibm.com> | 2016-02-21 09:34:05 -0500 |
| commit | 7429b092811fb20c6a5b261c2c116a6a90cb9a29 (patch) | |
| tree | d0f141c188d413de6e718689e314b5fe6a39a195 /include/linux | |
| parent | ima: support for kexec image and initramfs (diff) | |
| download | linux-dev-7429b092811fb20c6a5b261c2c116a6a90cb9a29.tar.xz linux-dev-7429b092811fb20c6a5b261c2c116a6a90cb9a29.zip | |
ima: load policy using path
We currently cannot do appraisal or signature vetting of IMA policies
since we currently can only load IMA policies by writing the contents
of the policy directly in, as follows:
cat policy-file > <securityfs>/ima/policy
If we provide the kernel the path to the IMA policy so it can load
the policy itself it'd be able to later appraise or vet the file
signature if it has one. This patch adds support to load the IMA
policy with a given path as follows:
echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
Changelog v4+:
- moved kernel_read_file_from_path() error messages to callers
v3:
- moved kernel_read_file_from_path() to a separate patch
v2:
- after re-ordering the patches, replace calling integrity_kernel_read()
to read the file with kernel_read_file_from_path() (Mimi)
- Patch description re-written by Luis R. Rodriguez
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/fs.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/fs.h b/include/linux/fs.h index 52567252288e..e514f76db04f 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2581,6 +2581,7 @@ enum kernel_read_file_id { READING_MODULE, READING_KEXEC_IMAGE, READING_KEXEC_INITRAMFS, + READING_POLICY, READING_MAX_ID }; |