ima: Enable per ima namespace policy settings
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA -------------------------------- Set ima policy per namespace and remove the global settings. Operations on the objects may now have impact in more than one ima namespace and therefore iterate all active ima namespaces when necessary. Read-write violations can now happen across namespaces and should be checked in all namespaces for each relevant ima hook. Inform all concerned ima namespaces about the actions on the objects when the object is freed. E.g. if an object had been appraised in the ima_ns_1 and then modified in the ima_ns_2, appraised flag in the ima_ns_1 is cleared and the object will be re-appraised in the ima_ns_1 namespace. Signed-off-by:Krzysztof Struczynski <krzysztof.struczynski@huawei.com> Reviewed-by:
Loading
Please sign in to comment