git.baikalelectronics.ru Git - kernel.git/commit

author	Mimi Zohar <zohar@linux.vnet.ibm.com>
	Wed, 21 Feb 2018 16:36:32 +0000 (11:36 -0500)
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>
	Fri, 23 Mar 2018 10:31:37 +0000 (06:31 -0400)
commit	c1e69719af83335e762e45087fa6575138d1d0f2
tree	9827bd28b629bf69db447666494194d118d58e25	tree \| snapshot
parent	6fbe5c82ff3d804980a369c1145a314f0791848e	commit \| diff

ima: fail signature verification based on policy

This patch addresses the fuse privileged mounted filesystems in
environments which are unwilling to accept the risk of trusting the
signature verification and want to always fail safe, but are for example
using a pre-built kernel.

This patch defines a new builtin policy named "fail_securely", which can
be specified on the boot command line as an argument to "ima_policy=".

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Dongsu Park <dongsu@kinvolk.io>
Cc: Alban Crequy <alban@kinvolk.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>

Documentation/admin-guide/kernel-parameters.txt		diff \| blob \| history
security/integrity/ima/ima_appraise.c		diff \| blob \| history
security/integrity/ima/ima_main.c		diff \| blob \| history
security/integrity/ima/ima_policy.c		diff \| blob \| history
security/integrity/integrity.h		diff \| blob \| history