summaryrefslogtreecommitdiff
path: root/Documentation/ABI/testing/ima_policy
diff options
context:
space:
mode:
authorTushar Sugandhi <tusharsu@linux.microsoft.com>2021-01-07 20:07:05 -0800
committerMimi Zohar <zohar@linux.ibm.com>2021-01-14 23:41:34 -0500
commit47d76a4840501c1cefb3fbce777a86c58b02532b (patch)
treed16d7373c43b3fb57e59b25c6461909517861ec1 /Documentation/ABI/testing/ima_policy
parentc4e43aa2eeb0cffcf0b17e0a60a9d212de9c49df (diff)
IMA: limit critical data measurement based on a label
Integrity critical data may belong to a single subsystem or it may arise from cross subsystem interaction. Currently there is no mechanism to group or limit the data based on certain label. Limiting and grouping critical data based on a label would make it flexible and configurable to measure. Define "label:=", a new IMA policy condition, for the IMA func CRITICAL_DATA to allow grouping and limiting measurement of integrity critical data. Limit the measurement to the labels that are specified in the IMA policy - CRITICAL_DATA+"label:=". If "label:=" is not provided with the func CRITICAL_DATA, measure all the input integrity critical data. Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'Documentation/ABI/testing/ima_policy')
-rw-r--r--Documentation/ABI/testing/ima_policy2
1 files changed, 2 insertions, 0 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 6ec7daa87cba..54fe1c15ed50 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -52,6 +52,8 @@ Description:
template:= name of a defined IMA template type
(eg, ima-ng). Only valid when action is "measure".
pcr:= decimal value
+ label:= [data_label]
+ data_label:= a unique string used for grouping and limiting critical data.
default policy:
# PROC_SUPER_MAGIC