On Fri, 2016-02-12 at 20:53 +0800, Dave Young wrote:
> Hi, Mimi
>
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index a5d2592..832e62a 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/ima/ima.h
> > @@ -147,6 +147,8 @@ enum ima_hooks {
> > POST_SETATTR,
> > MODULE_CHECK,
> > FIRMWARE_CHECK,
> > + KEXEC_CHECK,
> > + INITRAMFS_CHECK,
>
> KEXEC_CHECK is actually kexec kernel image check, INITRAMFS_CHECK is for
> kexec initramfs check, they are both for checking kexec loaded files.
>
> Do you mind a longer id like KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK?
These are the IMA policy tokens. Currently the IMA policy would include
these KEXEC rules, where "appraise_type=imasig" indicates requiring a
signature as opposed to a hash.
measure func=KEXEC_CHECK
appraise func=KEXEC_CHECK appraise_type=imasig
#
measure func=INITRAMFS_CHECK
appraise func=INITRAMFS_CHECK appraise_type=imasig
I'll change these IMA policy identifiers to the longer names you
suggested.
thanks,
Mimi
> > MAX_CHECK
> > };
> >
>
> Thanks
> Dave
