Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.19 / 9e67028e76514a8ee279d7d006dfb8069b5115ab
commit9e67028e76514a8ee279d7d006dfb8069b5115ab[log] [tgz]
authorMimi Zohar <zohar@linux.vnet.ibm.com>Wed Feb 21 11:36:32 2018 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>Fri Mar 23 06:31:37 2018 -0400
tree9827bd28b629bf69db447666494194d118d58e25
parenta9a4935d44b58c858a81393694bc232a96cdcbd4 [diff]
ima: fail signature verification based on policy

This patch addresses the fuse privileged mounted filesystems in
environments which are unwilling to accept the risk of trusting the
signature verification and want to always fail safe, but are for example
using a pre-built kernel.

This patch defines a new builtin policy named "fail_securely", which can
be specified on the boot command line as an argument to "ima_policy=".

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Dongsu Park <dongsu@kinvolk.io>
Cc: Alban Crequy <alban@kinvolk.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
5 files changed
tree: 9827bd28b629bf69db447666494194d118d58e25
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COPYING
  30. CREDITS
  31. Kbuild
  32. Kconfig
  33. MAINTAINERS
  34. Makefile
  35. README