ima: load policy using path
authorDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Fri, 11 Apr 2014 14:47:01 +0000 (17:47 +0300)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Sun, 21 Feb 2016 14:34:05 +0000 (09:34 -0500)
commit7429b092811fb20c6a5b261c2c116a6a90cb9a29
treed0f141c188d413de6e718689e314b5fe6a39a195
parentd9ddf077bb85b54200dfcb5f2edec4f0d6a7c2ca
ima: load policy using path

We currently cannot do appraisal or signature vetting of IMA policies
since we currently can only load IMA policies by writing the contents
of the policy directly in, as follows:

cat policy-file > <securityfs>/ima/policy

If we provide the kernel the path to the IMA policy so it can load
the policy itself it'd be able to later appraise or vet the file
signature if it has one.  This patch adds support to load the IMA
policy with a given path as follows:

echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy

Changelog v4+:
- moved kernel_read_file_from_path() error messages to callers
v3:
- moved kernel_read_file_from_path() to a separate patch
v2:
- after re-ordering the patches, replace calling integrity_kernel_read()
  to read the file with kernel_read_file_from_path() (Mimi)
- Patch description re-written by Luis R. Rodriguez

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
include/linux/fs.h
security/integrity/ima/ima_fs.c