[PATCH 06/20] ima: create '_ima' as a builtin 'trusted' keyring
From: Dmitry Kasatkin
Date: Wed Apr 23 2014 - 09:35:27 EST
Require all keys added to the IMA keyring be signed by an
existing trusted key on the system trusted keyring.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@xxxxxxxxxxx>
---
security/integrity/ima/Kconfig | 9 +++++++++
security/integrity/ima/ima_init.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 5f95e50..be11c01 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -122,3 +122,12 @@ config IMA_APPRAISE
For more information on integrity appraisal refer to:
<http://linux-ima.sourceforge.net>
If unsure, say N.
+
+config IMA_TRUSTED_KEYRING
+ bool "Require all keys on the _ima keyring be signed"
+ depends on IMA && SYSTEM_TRUSTED_KEYRING
+ select INTEGRITY_TRUSTED_KEYRING
+ default y
+ help
+ This option requires that all keys added to the _ima
+ keyring be signed by a key on the system trusted keyring.
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index e8f9d70..515c1a2 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -107,6 +107,7 @@ int __init ima_init(void)
ima_add_boot_aggregate(); /* boot aggregate must be first entry */
ima_init_policy();
+ integrity_init_keyring(INTEGRITY_KEYRING_IMA);
return ima_fs_init();
}
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/