adf53a778a
The original 'ima' template is fixed length, containing the filedata hash and pathname. The filedata hash is limited to 20 bytes (md5/sha1). The pathname is a null terminated string, limited to 255 characters. To overcome these limitations and to add additional file metadata, it is necessary to extend the current version of IMA by defining additional templates. The main reason to introduce this feature is that, each time a new template is defined, the functions that generate and display the measurement list would include the code for handling a new format and, thus, would significantly grow over time. This patch set solves this problem by separating the template management from the remaining IMA code. The core of this solution is the definition of two new data structures: a template descriptor, to determine which information should be included in the measurement list, and a template field, to generate and display data of a given type. To define a new template field, developers define the field identifier and implement two functions, init() and show(), respectively to generate and display measurement entries. Initially, this patch set defines the following template fields (support for additional data types will be added later): - 'd': the digest of the event (i.e. the digest of a measured file), calculated with the SHA1 or MD5 hash algorithm; - 'n': the name of the event (i.e. the file name), with size up to 255 bytes; - 'd-ng': the digest of the event, calculated with an arbitrary hash algorithm (field format: [<hash algo>:]digest, where the digest prefix is shown only if the hash algorithm is not SHA1 or MD5); - 'n-ng': the name of the event, without size limitations. Defining a new template descriptor requires specifying the template format, a string of field identifiers separated by the '|' character. This patch set defines the following template descriptors: - "ima": its format is 'd|n'; - "ima-ng" (default): its format is 'd-ng|n-ng' Further details about the new template architecture can be found in Documentation/security/IMA-templates.txt. Changelog: - don't defer calling ima_init_template() - Mimi - don't define ima_lookup_template_desc() until used - Mimi - squashed with documentation patch - Mimi Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> |
||
|---|---|---|
| .. | ||
| ABI | ||
| accounting | ||
| acpi | ||
| aoe | ||
| arm | ||
| arm64 | ||
| auxdisplay | ||
| backlight | ||
| blackfin | ||
| block | ||
| blockdev | ||
| bus-devices | ||
| cdrom | ||
| cgroups | ||
| connector | ||
| console | ||
| cpu-freq | ||
| cpuidle | ||
| cris | ||
| crypto | ||
| development-process | ||
| device-mapper | ||
| devicetree | ||
| DocBook | ||
| driver-model | ||
| dvb | ||
| early-userspace | ||
| EDID | ||
| extcon | ||
| fault-injection | ||
| fb | ||
| filesystems | ||
| firmware_class | ||
| fmc | ||
| frv | ||
| hid | ||
| hwmon | ||
| i2c | ||
| i2o | ||
| ia64 | ||
| ide | ||
| infiniband | ||
| input | ||
| ioctl | ||
| isdn | ||
| ja_JP | ||
| kbuild | ||
| kdump | ||
| ko_KR | ||
| laptops | ||
| leds | ||
| m68k | ||
| make | ||
| memory-devices | ||
| metag | ||
| mips | ||
| misc-devices | ||
| mmc | ||
| mn10300 | ||
| mtd | ||
| namespaces | ||
| netlabel | ||
| networking | ||
| nfc | ||
| parisc | ||
| PCI | ||
| pcmcia | ||
| power | ||
| powerpc | ||
| pps | ||
| prctl | ||
| pti | ||
| ptp | ||
| rapidio | ||
| RCU | ||
| s390 | ||
| scheduler | ||
| scsi | ||
| security | ||
| serial | ||
| sh | ||
| sound | ||
| spi | ||
| sysctl | ||
| target | ||
| thermal | ||
| timers | ||
| tpm | ||
| trace | ||
| usb | ||
| vDSO | ||
| video4linux | ||
| virtual | ||
| vm | ||
| w1 | ||
| watchdog | ||
| wimax | ||
| x86 | ||
| xtensa | ||
| zh_CN | ||
| .gitignore | ||
| 00-INDEX | ||
| applying-patches.txt | ||
| assoc_array.txt | ||
| atomic_ops.txt | ||
| bad_memory.txt | ||
| basic_profiling.txt | ||
| bcache.txt | ||
| binfmt_misc.txt | ||
| braille-console.txt | ||
| bt8xxgpio.txt | ||
| btmrvl.txt | ||
| BUG-HUNTING | ||
| bus-virt-phys-mapping.txt | ||
| cachetlb.txt | ||
| Changes | ||
| circular-buffers.txt | ||
| clk.txt | ||
| coccinelle.txt | ||
| CodingStyle | ||
| cpu-hotplug.txt | ||
| cpu-load.txt | ||
| cputopology.txt | ||
| crc32.txt | ||
| dcdbas.txt | ||
| debugging-modules.txt | ||
| debugging-via-ohci1394.txt | ||
| dell_rbu.txt | ||
| devices.txt | ||
| digsig.txt | ||
| DMA-API-HOWTO.txt | ||
| DMA-API.txt | ||
| DMA-attributes.txt | ||
| dma-buf-sharing.txt | ||
| DMA-ISA-LPC.txt | ||
| dmaengine.txt | ||
| dmatest.txt | ||
| dontdiff | ||
| dynamic-debug-howto.txt | ||
| edac.txt | ||
| eisa.txt | ||
| email-clients.txt | ||
| flexible-arrays.txt | ||
| futex-requeue-pi.txt | ||
| gcov.txt | ||
| gpio.txt | ||
| highuid.txt | ||
| HOWTO | ||
| hw_random.txt | ||
| hwspinlock.txt | ||
| init.txt | ||
| initrd.txt | ||
| Intel-IOMMU.txt | ||
| intel_txt.txt | ||
| io-mapping.txt | ||
| io_ordering.txt | ||
| iostats.txt | ||
| IPMI.txt | ||
| IRQ-affinity.txt | ||
| IRQ-domain.txt | ||
| IRQ.txt | ||
| irqflags-tracing.txt | ||
| isapnp.txt | ||
| java.txt | ||
| kernel-doc-nano-HOWTO.txt | ||
| kernel-docs.txt | ||
| kernel-parameters.txt | ||
| kernel-per-CPU-kthreads.txt | ||
| kmemcheck.txt | ||
| kmemleak.txt | ||
| kobject.txt | ||
| kprobes.txt | ||
| kref.txt | ||
| ldm.txt | ||
| local_ops.txt | ||
| lockdep-design.txt | ||
| lockstat.txt | ||
| lockup-watchdogs.txt | ||
| logo.gif | ||
| logo.txt | ||
| magic-number.txt | ||
| Makefile | ||
| ManagementStyle | ||
| md.txt | ||
| media-framework.txt | ||
| memory-barriers.txt | ||
| memory-hotplug.txt | ||
| mono.txt | ||
| mutex-design.txt | ||
| nommu-mmap.txt | ||
| numastat.txt | ||
| oops-tracing.txt | ||
| padata.txt | ||
| parport-lowlevel.txt | ||
| parport.txt | ||
| percpu-rw-semaphore.txt | ||
| pi-futex.txt | ||
| pinctrl.txt | ||
| pnp.txt | ||
| preempt-locking.txt | ||
| printk-formats.txt | ||
| pwm.txt | ||
| ramoops.txt | ||
| rbtree.txt | ||
| remoteproc.txt | ||
| rfkill.txt | ||
| robust-futex-ABI.txt | ||
| robust-futexes.txt | ||
| rpmsg.txt | ||
| rt-mutex-design.txt | ||
| rt-mutex.txt | ||
| rtc.txt | ||
| SAK.txt | ||
| SecurityBugs | ||
| serial-console.txt | ||
| sgi-ioc4.txt | ||
| sgi-visws.txt | ||
| SM501.txt | ||
| smsc_ece1099.txt | ||
| sparse.txt | ||
| spinlocks.txt | ||
| stable_api_nonsense.txt | ||
| stable_kernel_rules.txt | ||
| static-keys.txt | ||
| SubmitChecklist | ||
| SubmittingDrivers | ||
| SubmittingPatches | ||
| svga.txt | ||
| sysfs-rules.txt | ||
| sysrq.txt | ||
| this_cpu_ops.txt | ||
| unaligned-memory-access.txt | ||
| unicode.txt | ||
| unshare.txt | ||
| vfio.txt | ||
| VGA-softcursor.txt | ||
| vgaarbiter.txt | ||
| video-output.txt | ||
| vme_api.txt | ||
| volatile-considered-harmful.txt | ||
| workqueue.txt | ||
| ww-mutex-design.txt | ||
| xz.txt | ||
| zorro.txt | ||
