4 files changed, 44 insertions, 2 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index e099875643c5..b0840f9a552f 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -131,3 +131,21 @@ config IMA_TRUSTED_KEYRING
        help
           This option requires that all keys added to the .ima
           keyring be signed by a key on the system trusted keyring.
+config IMA_LOAD_X509
+        bool "Load X509 certificate onto the '.ima' trusted keyring"
+        depends on IMA_TRUSTED_KEYRING
+        default n
+        help
+           File signature verification is based on the public keys
+           loaded on the .ima trusted keyring. These public keys are
+           X509 certificates signed by a trusted key on the
+           .system keyring.  This option enables X509 certificate
+           loading from the kernel onto the '.ima' trusted keyring.
+config IMA_X509_PATH
+        string "IMA X509 certificate path"
+        depends on IMA_LOAD_X509
+        default "/etc/keys/x509_ima.der"
+        help
+           This option defines IMA X509 certificate path.
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a99eb6d4bc09..b0dc922d8be3 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -173,8 +173,7 @@ int ima_get_action(struct inode *inode, int mask, int function)
 {
        int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
-        if (!ima_appraise)
+        flags &= ima_policy_flag;
-                flags &= ~IMA_APPRAISE;
        return ima_match_policy(inode, function, mask, flags);
 }
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 9164fc8cac84..5e4c29d174ee 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -24,6 +24,12 @@
 #include <crypto/hash_info.h>
 #include "ima.h"
+#ifdef CONFIG_IMA_X509_PATH
+#define IMA_X509_PATH   CONFIG_IMA_X509_PATH
+#else
+#define IMA_X509_PATH   "/etc/keys/x509_ima.der"
+#endif
 /* name for boot aggregate entry */
 static const char *boot_aggregate_name = "boot_aggregate";
 int ima_used_chip;
@@ -91,6 +97,17 @@ err_out:
        return result;
 }
+#ifdef CONFIG_IMA_LOAD_X509
+void __init ima_load_x509(void)
+{
+        int unset_flags = ima_policy_flag & IMA_APPRAISE;
+        ima_policy_flag &= ~unset_flags;
+        integrity_load_x509(INTEGRITY_KEYRING_IMA, IMA_X509_PATH);
+        ima_policy_flag |= unset_flags;
+}
+#endif
 int __init ima_init(void)
 {
        u8 pcr_i[TPM_DIGEST_SIZE];
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 1057abbd31cd..caa1f6ca72e9 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -162,6 +162,14 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig,
 }
 #endif
+#ifdef CONFIG_IMA_LOAD_X509
+void __init ima_load_x509(void);
+#else
+static inline void ima_load_x509(void)
+{
+}
+#endif
 #ifdef CONFIG_INTEGRITY_AUDIT
 /* declarations */
 void integrity_audit_msg(int audit_msgno, struct inode *inode,

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index e099875643c5..b0840f9a552f 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig
@@ -131,3 +131,21 @@ config IMA_TRUSTED_KEYRING
131	help	131	help
132	This option requires that all keys added to the .ima	132	This option requires that all keys added to the .ima
133	keyring be signed by a key on the system trusted keyring.	133	keyring be signed by a key on the system trusted keyring.
		134
		135	config IMA_LOAD_X509
		136	bool "Load X509 certificate onto the '.ima' trusted keyring"
		137	depends on IMA_TRUSTED_KEYRING
		138	default n
		139	help
		140	File signature verification is based on the public keys
		141	loaded on the .ima trusted keyring. These public keys are
		142	X509 certificates signed by a trusted key on the
		143	.system keyring. This option enables X509 certificate
		144	loading from the kernel onto the '.ima' trusted keyring.
		145
		146	config IMA_X509_PATH
		147	string "IMA X509 certificate path"
		148	depends on IMA_LOAD_X509
		149	default "/etc/keys/x509_ima.der"
		150	help
		151	This option defines IMA X509 certificate path.


diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index a99eb6d4bc09..b0dc922d8be3 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c
@@ -173,8 +173,7 @@ int ima_get_action(struct inode *inode, int mask, int function)
173	{	173	{
174	int flags = IMA_MEASURE \| IMA_AUDIT \| IMA_APPRAISE;	174	int flags = IMA_MEASURE \| IMA_AUDIT \| IMA_APPRAISE;
175		175
176	if (!ima_appraise)	176	flags &= ima_policy_flag;
177	flags &= ~IMA_APPRAISE;
178		177
179	return ima_match_policy(inode, function, mask, flags);	178	return ima_match_policy(inode, function, mask, flags);
180	}	179	}


diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 9164fc8cac84..5e4c29d174ee 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c
@@ -24,6 +24,12 @@
24	#include <crypto/hash_info.h>	24	#include <crypto/hash_info.h>
25	#include "ima.h"	25	#include "ima.h"
26		26
		27	#ifdef CONFIG_IMA_X509_PATH
		28	#define IMA_X509_PATH CONFIG_IMA_X509_PATH
		29	#else
		30	#define IMA_X509_PATH "/etc/keys/x509_ima.der"
		31	#endif
		32
27	/* name for boot aggregate entry */	33	/* name for boot aggregate entry */
28	static const char *boot_aggregate_name = "boot_aggregate";	34	static const char *boot_aggregate_name = "boot_aggregate";
29	int ima_used_chip;	35	int ima_used_chip;
@@ -91,6 +97,17 @@ err_out:
91	return result;	97	return result;
92	}	98	}
93		99
		100	#ifdef CONFIG_IMA_LOAD_X509
		101	void __init ima_load_x509(void)
		102	{
		103	int unset_flags = ima_policy_flag & IMA_APPRAISE;
		104
		105	ima_policy_flag &= ~unset_flags;
		106	integrity_load_x509(INTEGRITY_KEYRING_IMA, IMA_X509_PATH);
		107	ima_policy_flag \|= unset_flags;
		108	}
		109	#endif
		110
94	int __init ima_init(void)	111	int __init ima_init(void)
95	{	112	{
96	u8 pcr_i[TPM_DIGEST_SIZE];	113	u8 pcr_i[TPM_DIGEST_SIZE];


diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 1057abbd31cd..caa1f6ca72e9 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h
@@ -162,6 +162,14 @@ static inline int asymmetric_verify(struct key keyring, const char sig,
162	}	162	}
163	#endif	163	#endif
164		164
		165	#ifdef CONFIG_IMA_LOAD_X509
		166	void __init ima_load_x509(void);
		167	#else
		168	static inline void ima_load_x509(void)
		169	{
		170	}
		171	#endif
		172
165	#ifdef CONFIG_INTEGRITY_AUDIT	173	#ifdef CONFIG_INTEGRITY_AUDIT
166	/* declarations */	174	/* declarations */
167	void integrity_audit_msg(int audit_msgno, struct inode *inode,	175	void integrity_audit_msg(int audit_msgno, struct inode *inode,