summaryrefslogtreecommitdiff
path: root/security/integrity/ima/Kconfig
diff options
context:
space:
mode:
authorPetko Manolov <petkan@mip-labs.com>2015-12-02 17:47:54 +0200
committerMimi Zohar <zohar@linux.vnet.ibm.com>2015-12-15 10:01:43 -0500
commit38d859f991f3a05b352a06f82af0baa1acf33e02 (patch)
tree05100d5f61490abf1a180d2f51b8b0960bba5123 /security/integrity/ima/Kconfig
parent05d3884b1ee66d83ad70ffa658c7b363797e2b0c (diff)
IMA: policy can now be updated multiple times
The new rules get appended to the original policy, forming a queue. The new rules are first added to a temporary list, which on error get released without disturbing the normal IMA operations. On success both lists (the current policy and the new rules) are spliced. IMA policy reads are many orders of magnitude more numerous compared to writes, the match code is RCU protected. The updater side also does list splice in RCU manner. Signed-off-by: Petko Manolov <petkan@mip-labs.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima/Kconfig')
-rw-r--r--security/integrity/ima/Kconfig11
1 files changed, 11 insertions, 0 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index a292b881c16f..e74d66cbfe87 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -107,6 +107,17 @@ config IMA_DEFAULT_HASH
default "sha512" if IMA_DEFAULT_HASH_SHA512
default "wp512" if IMA_DEFAULT_HASH_WP512
+config IMA_WRITE_POLICY
+ bool "Enable multiple writes to the IMA policy"
+ depends on IMA
+ default n
+ help
+ IMA policy can now be updated multiple times. The new rules get
+ appended to the original policy. Have in mind that the rules are
+ scanned in FIFO order so be careful when you design and add new ones.
+
+ If unsure, say N.
+
config IMA_APPRAISE
bool "Appraise integrity measurements"
depends on IMA