diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-06-07 06:16:34 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-10-26 21:32:54 -0400 |
| commit | 4286587dccd43d4f81fa227e413ed7e909895342 (patch) | |
| tree | 94781e93d49c79253048e60b21d822c635cda444 /security/integrity | |
| parent | add1c05dceb495a45036d66cdcbb3b2306de26c1 (diff) | |
ima: add Kconfig default measurement list template
This patch adds a Kconfig option to select the default IMA
measurement list template. The 'ima' template limited the
filedata hash to 20 bytes and the pathname to 255 charaters.
The 'ima-ng' measurement list template permits larger hash
digests and longer pathnames.
Changelog:
- keep 'select CRYPTO_HASH_INFO' in 'config IMA' section (Kconfig)
(Roberto Sassu);
- removed trailing whitespaces (Roberto Sassu).
- Lindent fixes
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Diffstat (limited to 'security/integrity')
| -rw-r--r-- | security/integrity/ima/Kconfig | 25 | ||||
| -rw-r--r-- | security/integrity/ima/ima_template.c | 4 |
2 files changed, 27 insertions, 2 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index e6628e783df1..de26cc873ae6 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig | |||
| @@ -46,6 +46,31 @@ config IMA_LSM_RULES | |||
| 46 | help | 46 | help |
| 47 | Disabling this option will disregard LSM based policy rules. | 47 | Disabling this option will disregard LSM based policy rules. |
| 48 | 48 | ||
| 49 | choice | ||
| 50 | prompt "Default template" | ||
| 51 | default IMA_NG_TEMPLATE | ||
| 52 | depends on IMA | ||
| 53 | help | ||
| 54 | Select the default IMA measurement template. | ||
| 55 | |||
| 56 | The original 'ima' measurement list template contains a | ||
| 57 | hash, defined as 20 bytes, and a null terminated pathname, | ||
| 58 | limited to 255 characters. The 'ima-ng' measurement list | ||
| 59 | template permits both larger hash digests and longer | ||
| 60 | pathnames. | ||
| 61 | |||
| 62 | config IMA_TEMPLATE | ||
| 63 | bool "ima" | ||
| 64 | config IMA_NG_TEMPLATE | ||
| 65 | bool "ima-ng (default)" | ||
| 66 | endchoice | ||
| 67 | |||
| 68 | config IMA_DEFAULT_TEMPLATE | ||
| 69 | string | ||
| 70 | depends on IMA | ||
| 71 | default "ima" if IMA_TEMPLATE | ||
| 72 | default "ima-ng" if IMA_NG_TEMPLATE | ||
| 73 | |||
| 49 | config IMA_APPRAISE | 74 | config IMA_APPRAISE |
| 50 | bool "Appraise integrity measurements" | 75 | bool "Appraise integrity measurements" |
| 51 | depends on IMA | 76 | depends on IMA |
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index 1c4cf194592c..c28ff9bf8f32 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c | |||
| @@ -127,8 +127,8 @@ static int init_defined_templates(void) | |||
| 127 | struct ima_template_desc *ima_template_desc_current(void) | 127 | struct ima_template_desc *ima_template_desc_current(void) |
| 128 | { | 128 | { |
| 129 | if (!ima_template) | 129 | if (!ima_template) |
| 130 | ima_template = lookup_template_desc(IMA_TEMPLATE_IMA_NAME); | 130 | ima_template = |
| 131 | 131 | lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE); | |
| 132 | return ima_template; | 132 | return ima_template; |
| 133 | } | 133 | } |
| 134 | 134 | ||