[PATCH-v2 0/3] ima: add support for custom template formats

From: Roberto Sassu
Date: Fri Dec 06 2013 - 07:59:25 EST

Next message: Roberto Sassu: "[PATCH-v2 1/3] ima: added error messages to template-related functions"
Previous message: Mark Brown: "Re: [PATCH v5 2/3] regulator: tps6586x: add and use correct voltagetable"
Next in thread: Roberto Sassu: "[PATCH-v2 1/3] ima: added error messages to template-related functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi everyone

currently accepted patches for the new template management mechanism allow to
choose among a list of supported templates, statically defined in the code.
This functionality is not flexible enough as users may want to include
in their measurements list only information needed and not use predefined
combinations.

For this reason, this patch set introduces the new kernel command line parameter
'ima_template_fmt' to specify a custom template format at boot time,
i.e. a string of template fields identifiers concatenated with the '|'
separator character. The complete list of defined template fields can be
found in Documentation/security/IMA-templates.txt.

The format string is checked at the very beginning in the setup function
ima_template_fmt_setup() so that, if it is wrong, IMA can go back to the
default template, selected through a kernel configuration option.

To allow userspace tools parse a measurements list with a custom format, IMA
provides as template name the same format string provided by users at boot
time, so that tools know which information are included in a entry and extract
them if they can handle listed template fields.

Changelog:
- patch 2/3: fixed patch description (Roberto Sassu, suggested by Mimi Zohar)
- patch 3/3: set 'template_name' variable in ima_fs.c only once
(Roberto Sassu, suggested by Mimi Zohar)
- patch 3/3: simplified code of ima_template_fmt_setup()
(Roberto Sassu, suggested by Mimi Zohar)
- the patch 'ima: make a copy of template_fmt in template_desc_init_fields()'
has been removed from this version of the patch set since it has been already
merged in the mainline kernel (commit: dbc335d2d + fix: af91706d5)

Roberto Sassu

Roberto Sassu (3):
ima: added error messages to template-related functions
ima: display template format in meas. list if template name length is
zero
ima: added support for new kernel cmdline parameter ima_template_fmt

Documentation/kernel-parameters.txt | 4 +++
Documentation/security/IMA-templates.txt | 29 ++++++++---------
security/integrity/ima/ima_fs.c | 16 +++++++---
security/integrity/ima/ima_template.c | 55 ++++++++++++++++++++++++++++++--
4 files changed, 83 insertions(+), 21 deletions(-)

--
1.8.1.4

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Next message: Roberto Sassu: "[PATCH-v2 1/3] ima: added error messages to template-related functions"
Previous message: Mark Brown: "Re: [PATCH v5 2/3] regulator: tps6586x: add and use correct voltagetable"
Next in thread: Roberto Sassu: "[PATCH-v2 1/3] ima: added error messages to template-related functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]