• Mimi Zohar's avatar
    ima: per hook cache integrity appraisal status · d79d72e0
    Mimi Zohar authored
    With the new IMA policy 'appraise_type=' option, different hooks
    can require different methods for appraising a file's integrity.
    
    For example, the existing 'ima_appraise_tcb' policy defines a
    generic rule, requiring all root files to be appraised, without
    specfying the appraisal method.  A more specific rule could require
    all kernel modules, for example, to be signed.
    
    appraise fowner=0 func=MODULE_CHECK appraise_type=imasig
    appraise fowner=0
    
    As a result, the integrity appraisal results for the same inode, but
    for different hooks, could differ.  This patch caches the integrity
    appraisal results on a per hook basis.
    
    Changelog v2:
    - Rename ima_cache_status() to ima_set_cache_status()
    - Rename and move get_appraise_status() to ima_get_cache_status()
    Changelog v0:
    - include IMA_APPRAISE/APPRAISED_SUBMASK in IMA_DO/DONE_MASK (Dmitry)
    - Support independent MODULE_CHECK appraise status.
    - fixed IMA_XXXX_APPRAISE/APPRAISED flags
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
    d79d72e0
ima_appraise.c 7.49 KB