aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-11-05 10:01:16 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-11-17 23:12:01 -0500
commitc57782c13ecd7e7aca66cbf0139ad2a72317dc81 (patch)
tree4addf9930efefacc0394ffca22b56cb4e9083fe4 /security/integrity
parentc9cd2ce2bc6313aafa33f8e28d29a8690252f219 (diff)
ima: require signature based appraisal
This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration option to force IMA appraisal using signatures. This is useful, when EVM key is not initialized yet and we want securely initialize integrity or any other functionality. It forces embedded policy to require signature. Signed initialization script can initialize EVM key, update the IMA policy and change further requirement of everything to be signed. Changes in v3: * kernel parameter fixed to configuration option in the patch description Changes in v2: * policy change of this patch separated from the key loading patch Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/Kconfig7
-rw-r--r--security/integrity/ima/ima_policy.c6
2 files changed, 13 insertions, 0 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index b0840f9a552f..b80a93ec1ccc 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -149,3 +149,10 @@ config IMA_X509_PATH
149 default "/etc/keys/x509_ima.der" 149 default "/etc/keys/x509_ima.der"
150 help 150 help
151 This option defines IMA X509 certificate path. 151 This option defines IMA X509 certificate path.
152
153config IMA_APPRAISE_SIGNED_INIT
154 bool "Require signed user-space initialization"
155 depends on IMA_LOAD_X509
156 default n
157 help
158 This option requires user-space init to be signed.
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 0d14d2591805..d1eefb9d65fb 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -100,7 +100,13 @@ static struct ima_rule_entry default_appraise_rules[] = {
100 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 100 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
101 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 101 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
102 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 102 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
103#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
103 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER}, 104 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
105#else
106 /* force signature */
107 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID,
108 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
109#endif
104}; 110};
105 111
106static LIST_HEAD(ima_default_rules); 112static LIST_HEAD(ima_default_rules);