From fd5f4e9054acbf4f22fac81a358baf3c27aa42ac Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Wed, 5 Nov 2014 17:01:14 +0200 Subject: ima: load x509 certificate from the kernel Define configuration option to load X509 certificate into the IMA trusted kernel keyring. It implements ima_load_x509() hook to load X509 certificate into the .ima trusted kernel keyring from the root filesystem. Changes in v3: * use ima_policy_flag in ima_get_action() ima_load_x509 temporarily clears ima_policy_flag to disable appraisal to load key. Use it to skip appraisal rules. * Key directory path changed to /etc/keys (Mimi) * Expand IMA_LOAD_X509 Kconfig help Changes in v2: * added '__init' * use ima_policy_flag to disable appraisal to load keys Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_api.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'security/integrity/ima/ima_api.c') diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index a99eb6d4bc0..b0dc922d8be 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -173,8 +173,7 @@ int ima_get_action(struct inode *inode, int mask, int function) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; - if (!ima_appraise) - flags &= ~IMA_APPRAISE; + flags &= ima_policy_flag; return ima_match_policy(inode, function, mask, flags); } -- cgit v1.2.3-70-g09d2