[PATCH v1 1/4] ima: provide hook to load IMA keys when rootfs is ready
From: Dmitry Kasatkin
Date: Tue Jul 15 2014 - 08:58:59 EST
Keys can only be loaded when rootfs is mounted. Initcalls
are not suitable for that. Provide a special hook.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@xxxxxxxxxxx>
---
include/linux/ima.h | 9 +++++++++
init/main.c | 6 +++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 23a87a4..b617c1a 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -73,4 +73,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry,
return 0;
}
#endif /* CONFIG_IMA_APPRAISE */
+
+#ifdef CONFIG_IMA_APPRAISE_SIGNED_INIT
+extern void __init ima_prepare_keys(void);
+#else
+static inline void ima_prepare_keys(void)
+{
+}
+#endif
+
#endif /* _LINUX_IMA_H */
diff --git a/init/main.c b/init/main.c
index e8ae1fe..b24cfaa 100644
--- a/init/main.c
+++ b/init/main.c
@@ -78,6 +78,7 @@
#include <linux/context_tracking.h>
#include <linux/random.h>
#include <linux/list.h>
+#include <linux/ima.h>
#include <asm/io.h>
#include <asm/bugs.h>
@@ -1028,6 +1029,9 @@ static noinline void __init kernel_init_freeable(void)
* initmem segments and start the user-mode stuff..
*/
- /* rootfs is available now, try loading default modules */
+ /* rootfs is available now */
+ /* try loading public keys */
+ ima_prepare_keys();
+ /* try loading default modules */
load_default_modules();
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/