ima: based on policy require signed kexec kernel images

The original kexec_load syscall can not verify file signatures, nor can the kexec image be measured. Based on policy, deny the kexec_load syscall. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2018-07-13 21:05:58 +0300
committer: James Morris <james.morris@microsoft.com> 2018-07-16 22:31:57 +0300
commit: 16c267aac86b463b1fcccd43c89f4c8e5c5c86fa (patch)
tree: 550e6fcb00d732a3c018b3258302f8ffd61a4379 /security/integrity/ima/ima.h
parent: a210fd32a46bae6d05b43860fe3b47732501d63b (diff)
download: linux-16c267aac86b463b1fcccd43c89f4c8e5c5c86fa.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 354bb5716ce3..78c15264b17b 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -232,6 +232,7 @@ int ima_policy_show(struct seq_file *m, void *v);
 #define IMA_APPRAISE_MODULES	0x08
 #define IMA_APPRAISE_FIRMWARE	0x10
 #define IMA_APPRAISE_POLICY	0x20
+#define IMA_APPRAISE_KEXEC	0x40
 
 #ifdef CONFIG_IMA_APPRAISE
 int ima_appraise_measurement(enum ima_hooks func,
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2018-07-13 21:05:58 +0300
committer	James Morris <james.morris@microsoft.com>	2018-07-16 22:31:57 +0300
commit	16c267aac86b463b1fcccd43c89f4c8e5c5c86fa (patch)
tree	550e6fcb00d732a3c018b3258302f8ffd61a4379 /security/integrity/ima/ima.h
parent	a210fd32a46bae6d05b43860fe3b47732501d63b (diff)
download	linux-16c267aac86b463b1fcccd43c89f4c8e5c5c86fa.tar.xz