summaryrefslogtreecommitdiffstats
path: root/Documentation/ABI
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2014-07-22 10:39:48 -0400
committerKees Cook <keescook@chromium.org>2014-07-25 11:47:46 -0700
commit5a9196d715607f76d6b7d96a0970d6065335e62b (patch)
treedf323588d1026b947e489c5fb9c83299dbcb9689 /Documentation/ABI
parent6593d9245bc66e6e3cf4ba6d365a7833110c1402 (diff)
ima: add support for measuring and appraising firmware
The "security: introduce kernel_fw_from_file hook" patch defined a new security hook to evaluate any loaded firmware that wasn't built into the kernel. This patch defines ima_fw_from_file(), which is called from the new security hook, to measure and/or appraise the loaded firmware's integrity. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'Documentation/ABI')
-rw-r--r--Documentation/ABI/testing/ima_policy4
1 files changed, 3 insertions, 1 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 4c3efe43480..d0d0c578324 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -26,6 +26,7 @@ Description:
option: [[appraise_type=]] [permit_directio]
base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
+ [FIRMWARE_CHECK]
mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
fsmagic:= hex value
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
@@ -57,7 +58,8 @@ Description:
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
- measure func=MODULE_CHECK uid=0
+ measure func=MODULE_CHECK
+ measure func=FIRMWARE_CHECK
appraise fowner=0
The default policy measures all executables in bprm_check,