From 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Tue, 13 Aug 2013 08:47:43 -0400
Subject: ima: define '_ima' as a builtin 'trusted' keyring

Require all keys added to the IMA keyring be signed by an
existing trusted key on the system trusted keyring.

Changelog:
- define stub integrity_init_keyring() function (reported-by Fengguang Wu)
- differentiate between regular and trusted keyring names.
- replace printk with pr_info (D. Kasatkin)

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
---
 security/integrity/ima/Kconfig | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'security/integrity/ima/Kconfig')

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 81a27971d884..dad8d4ca2437 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -123,3 +123,11 @@ config IMA_APPRAISE
 	  For more information on integrity appraisal refer to:
 	  <http://linux-ima.sourceforge.net>
 	  If unsure, say N.
+
+config IMA_TRUSTED_KEYRING
+	bool "Require all keys on the _ima keyring be signed"
+	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
+	default y
+	help
+	   This option requires that all keys added to the _ima
+	   keyring be signed by a key on the system trusted keyring.
-- 
cgit