| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1382395388-8108-21-git-send-email-zohar@linux.vnet.ibm.com>
Date: Mon, 21 Oct 2013 18:43:05 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: linux-security-module@...r.kernel.org
Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>,
linux-kernel@...r.kernel.org, James Morris <jmorris@...ei.org>,
David Howells <dhowells@...hat.com>,
Mimi Zohar <zohar@...ibm.com>,
Roberto Sassu <roberto.sassu@...ito.it>
Subject: [PATCH v2 20/23] ima: add Kconfig default measurement list template
This patch adds a Kconfig option to select the default IMA
measurement list template. The 'ima' template limited the
filedata hash to 20 bytes and the pathname to 255 charaters.
The 'ima-ng' measurement list template permits larger hash
digests and longer pathnames.
Changelog:
- keep 'select CRYPTO_HASH_INFO' in 'config IMA' section (Kconfig)
(Roberto Sassu);
- removed trailing whitespaces (Roberto Sassu).
- Lindent fixes
Signed-off-by: Mimi Zohar <zohar@...ibm.com>
Signed-off-by: Roberto Sassu <roberto.sassu@...ito.it>
---
security/integrity/ima/Kconfig | 25 +++++++++++++++++++++++++
security/integrity/ima/ima_template.c | 4 ++--
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index e6628e7..de26cc8 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -46,6 +46,31 @@ config IMA_LSM_RULES
help
Disabling this option will disregard LSM based policy rules.
+choice
+ prompt "Default template"
+ default IMA_NG_TEMPLATE
+ depends on IMA
+ help
+ Select the default IMA measurement template.
+
+ The original 'ima' measurement list template contains a
+ hash, defined as 20 bytes, and a null terminated pathname,
+ limited to 255 characters. The 'ima-ng' measurement list
+ template permits both larger hash digests and longer
+ pathnames.
+
+ config IMA_TEMPLATE
+ bool "ima"
+ config IMA_NG_TEMPLATE
+ bool "ima-ng (default)"
+endchoice
+
+config IMA_DEFAULT_TEMPLATE
+ string
+ depends on IMA
+ default "ima" if IMA_TEMPLATE
+ default "ima-ng" if IMA_NG_TEMPLATE
+
config IMA_APPRAISE
bool "Appraise integrity measurements"
depends on IMA
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index 1c4cf19..c28ff9b 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -127,8 +127,8 @@ static int init_defined_templates(void)
struct ima_template_desc *ima_template_desc_current(void)
{
if (!ima_template)
- ima_template = lookup_template_desc(IMA_TEMPLATE_IMA_NAME);
-
+ ima_template =
+ lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE);
return ima_template;
}
--
1.8.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists