summaryrefslogtreecommitdiffstats
path: root/net/ipv6/Kconfig
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2012-12-03 17:08:11 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-01-22 16:10:36 -0500
commitd79d72e02485c00b886179538dc8deaffa3be507 (patch)
tree92690d5cbd6e4a0a3bee369033fe18d9b2d065f7 /net/ipv6/Kconfig
parentf578c08ec959cb0cdadf02bdc9689a4df3e9b9d4 (diff)
ima: per hook cache integrity appraisal status
With the new IMA policy 'appraise_type=' option, different hooks can require different methods for appraising a file's integrity. For example, the existing 'ima_appraise_tcb' policy defines a generic rule, requiring all root files to be appraised, without specfying the appraisal method. A more specific rule could require all kernel modules, for example, to be signed. appraise fowner=0 func=MODULE_CHECK appraise_type=imasig appraise fowner=0 As a result, the integrity appraisal results for the same inode, but for different hooks, could differ. This patch caches the integrity appraisal results on a per hook basis. Changelog v2: - Rename ima_cache_status() to ima_set_cache_status() - Rename and move get_appraise_status() to ima_get_cache_status() Changelog v0: - include IMA_APPRAISE/APPRAISED_SUBMASK in IMA_DO/DONE_MASK (Dmitry) - Support independent MODULE_CHECK appraise status. - fixed IMA_XXXX_APPRAISE/APPRAISED flags Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Diffstat (limited to 'net/ipv6/Kconfig')
0 files changed, 0 insertions, 0 deletions