[PATCH 3/4] ima: don't ignore INTEGRITY_UNKNOWN EVM status
Mimi Zohar
zohar at linux.ibm.com
Mon May 20 21:20:12 UTC 2019
On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 52e6fbb042cc..80e1c233656b 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1588,6 +1588,9 @@
> Format: { "off" | "enforce" | "fix" | "log" }
> default: "enforce"
>
> + ima_appraise_req_evm
> + [IMA] require EVM for appraisal with file digests.
As much as possible we want to limit the number of new boot command
line options as possible. Is there a reason for not extending
"ima_appraise=" with "require-evm" or "enforce-evm"?
Mimi
> +
> ima_appraise_tcb [IMA] Deprecated. Use ima_policy= instead.
> The builtin appraise policy appraises all files
> owned by uid=0.
More information about the Linux-security-module-archive
mailing list