[PATCH v2 0/4] ima: enforcing appraise type

[Mimi Zohar]

The IMA-appraisal extension added local integrity validation and
enforcement of the measurement against a "good" value stored as an
extended attribute 'security.ima'.  The initial methods for validating
'security.ima' were hash and digital signature based.

Missing is the ability to specify the validation method required. This
patch set addresses this omission, by defining a new policy option
'appraise_type='.

As a result of this change, appraisal rules can now be written on a
per hook basis, resulting in different appraisal status results.  The
'ima_appraise_tcb' policy appraises all files owned by root.  A new
hook specific rule could specify that all kernel modules, for example,
require a digital signature.

This patchset defines the 'appraise_type' option and caches the
appraisal result on a per hook basis.

Changelog v2:
- Minor cleanup as described in patch descriptions

Mimi

Dmitry Kasatkin (1):
  ima: added policy support for 'security.ima' type

Mimi Zohar (3):
  ima: increase iint flag size
  ima: per hook cache integrity appraisal status
  ima: differentiate appraise status only for hook specific rules

 Documentation/ABI/testing/ima_policy  |  4 +-
 security/integrity/iint.c             | 10 ++++-
 security/integrity/ima/ima.h          | 13 +++++-
 security/integrity/ima/ima_appraise.c | 76 ++++++++++++++++++++++++++++++-----
 security/integrity/ima/ima_main.c     | 25 +++++++-----
 security/integrity/ima/ima_policy.c   | 43 +++++++++++++++++++-
 security/integrity/integrity.h        | 48 +++++++++++++++-------
 7 files changed, 181 insertions(+), 38 deletions(-)

-- 
1.8.1.rc3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/