Support the read and write operations of ima_appraise by adding a securifyfs file 'appraise_mode'. In order to tune appraise mode in runtime, writing a PKCS#7 signature corresponding the signed content is required. The content should be off, enforce, log or fix. Given a simple way to archive this: $ echo -n off > mode $ openssl smime -sign -nocerts -noattr -binary \ -in mode -inkey <system_trusted_key> \ -signer <cert> -outform der -out mode.p7s $ sudo cat mode.p7s \ > /sys/kernel/security/ima/appraise_mode Note that the signing key must be a trust key located in system trusted keyring. So even the root privilege cannot simply disable the enforcement. --- v2 change: fix build error. Tianjia Zhang (2): ima: support to read appraise mode ima: support to tune appraise mode in runtime security/integrity/ima/ima_fs.c | 140 +++++++++++++++++++++++++++++++- 1 file changed, 139 insertions(+), 1 deletion(-) -- 2.17.1