diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-07-22 10:39:48 -0400 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2014-07-25 11:47:46 -0700 |
commit | 5a9196d715607f76d6b7d96a0970d6065335e62b (patch) | |
tree | df323588d1026b947e489c5fb9c83299dbcb9689 /Documentation/ABI | |
parent | 6593d9245bc66e6e3cf4ba6d365a7833110c1402 (diff) |
ima: add support for measuring and appraising firmware
The "security: introduce kernel_fw_from_file hook" patch defined a
new security hook to evaluate any loaded firmware that wasn't built
into the kernel.
This patch defines ima_fw_from_file(), which is called from the new
security hook, to measure and/or appraise the loaded firmware's
integrity.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'Documentation/ABI')
-rw-r--r-- | Documentation/ABI/testing/ima_policy | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 4c3efe43480..d0d0c578324 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -26,6 +26,7 @@ Description: option: [[appraise_type=]] [permit_directio] base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] + [FIRMWARE_CHECK] mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] fsmagic:= hex value fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) @@ -57,7 +58,8 @@ Description: measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=FILE_CHECK mask=MAY_READ uid=0 - measure func=MODULE_CHECK uid=0 + measure func=MODULE_CHECK + measure func=FIRMWARE_CHECK appraise fowner=0 The default policy measures all executables in bprm_check, |