diff options
| author | Thiago Jung Bauermann <bauerman@linux.ibm.com> | 2019-06-27 23:19:28 -0300 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-08-05 18:40:21 -0400 |
| commit | 9044d627fd18f9fca49b62d4619ee14914b91464 (patch) | |
| tree | db035dc7773f8b8509f87115f510ed340aef7b52 /security/integrity/integrity.h | |
| parent | cf38fed1e183dd2410f62d49ae635fe593082f0c (diff) | |
| download | linux-9044d627fd18f9fca49b62d4619ee14914b91464.tar.gz | |
ima: Add modsig appraise_type option for module-style appended signatures
Introduce the modsig keyword to the IMA policy syntax to specify that a given hook should expect the file to have the IMA signature appended to it. Here is how it can be used in a rule: appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig With this rule, IMA will accept either a signature stored in the extended attribute or an appended signature. For now, the rule above will behave exactly the same as if appraise_type=imasig was specified. The actual modsig implementation will be introduced separately. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/integrity.h')
| -rw-r--r-- | security/integrity/integrity.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index ed12d8e13d04..8c5736b68156 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -31,6 +31,7 @@ #define IMA_NEW_FILE 0x04000000 #define EVM_IMMUTABLE_DIGSIG 0x08000000 #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000 +#define IMA_MODSIG_ALLOWED 0x20000000 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ IMA_HASH | IMA_APPRAISE_SUBMASK) |