diff options
| author | Mimi Zohar | 2014-07-22 16:39:48 +0200 |
|---|---|---|
| committer | Kees Cook | 2014-07-25 20:47:46 +0200 |
| commit | 5a9196d715607f76d6b7d96a0970d6065335e62b (patch) | |
| tree | df323588d1026b947e489c5fb9c83299dbcb9689 /security/integrity/ima/ima_main.c | |
| parent | firmware_class: perform new LSM checks (diff) | |
| download | kernel-qcow2-linux-5a9196d715607f76d6b7d96a0970d6065335e62b.tar.gz kernel-qcow2-linux-5a9196d715607f76d6b7d96a0970d6065335e62b.tar.xz kernel-qcow2-linux-5a9196d715607f76d6b7d96a0970d6065335e62b.zip | |
ima: add support for measuring and appraising firmware
The "security: introduce kernel_fw_from_file hook" patch defined a
new security hook to evaluate any loaded firmware that wasn't built
into the kernel.
This patch defines ima_fw_from_file(), which is called from the new
security hook, to measure and/or appraise the loaded firmware's
integrity.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'security/integrity/ima/ima_main.c')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 0d696431209c..2917f980bf30 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -319,6 +319,17 @@ int ima_module_check(struct file *file) return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK); } +int ima_fw_from_file(struct file *file, char *buf, size_t size) +{ + if (!file) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) + return -EACCES; /* INTEGRITY_UNKNOWN */ + return 0; + } + return process_measurement(file, NULL, MAY_EXEC, FIRMWARE_CHECK); +} + static int __init init_ima(void) { int error; |