summaryrefslogtreecommitdiff
path: root/Documentation
diff options
context:
space:
mode:
authorLakshmi Ramasubramanian <nramas@linux.microsoft.com>2019-12-11 19:47:03 +0300
committerMimi Zohar <zohar@linux.ibm.com>2019-12-12 16:53:50 +0300
commit5808611cccb28044940d04ebd303dc90f33b77b1 (patch)
tree078c06ef373bfe2e252910c59060fd54e2e2e4c4 /Documentation
parentc5563bad88e07017e08cce1142903e501598c80c (diff)
downloadlinux-5808611cccb28044940d04ebd303dc90f33b77b1.tar.xz
IMA: Add KEY_CHECK func to measure keys
Measure keys loaded onto any keyring. This patch defines a new IMA policy func namely KEY_CHECK to measure keys. Updated ima_match_rules() to check for KEY_CHECK and ima_parse_rule() to handle KEY_CHECK. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/ABI/testing/ima_policy6
1 files changed, 5 insertions, 1 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 29aaedf33246..066d32797500 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -29,7 +29,7 @@ Description:
base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
[FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
- [KEXEC_CMDLINE]
+ [KEXEC_CMDLINE] [KEY_CHECK]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
fsmagic:= hex value
@@ -113,3 +113,7 @@ Description:
Example of appraise rule allowing modsig appended signatures:
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
+
+ Example of measure rule using KEY_CHECK to measure all keys:
+
+ measure func=KEY_CHECK