This patch set provides some small enhancements for IMA and EVM. Patch 1 avoids measurement and audit when access to the file will be denied by IMA itself. Patch 2 introduces a new policy keyword meta_immutable to protect the label transition during binary execution. Patch 3-5 add new hard-coded policies aiming at producing measurement or enforcing access to files that likely are provided by software vendors. Patch 6 increases the crypto resistance of EVM by allowing the choice of the hash algorithm for the HMAC. Patch 7 adds two new values for the evm= option in the kernel command line to facilitate the setup of EVM. Roberto Sassu (7): ima: Avoid measurement and audit if access to the file will be denied ima: Add meta_immutable appraisal type ima: Introduce exec_tcb and tmpfs policies ima: Introduce appraise_exec_tcb and appraise_tmpfs policies ima: Introduce appraise_exec_immutable policy evm: Allow choice of hash algorithm for HMAC evm: Extend evm= with allow_metadata_writes and complete values Documentation/ABI/testing/ima_policy | 2 +- .../admin-guide/kernel-parameters.txt | 36 +++++++- security/integrity/evm/Kconfig | 34 +++++++ security/integrity/evm/evm.h | 2 + security/integrity/evm/evm_crypto.c | 55 ++++++++++-- security/integrity/evm/evm_main.c | 29 ++++-- security/integrity/ima/ima_appraise.c | 9 ++ security/integrity/ima/ima_main.c | 20 +++-- security/integrity/ima/ima_policy.c | 90 ++++++++++++++----- security/integrity/integrity.h | 4 +- 10 files changed, 232 insertions(+), 49 deletions(-) -- 2.26.2
