git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit

author	Thiago Jung Bauermann <bauerman@linux.ibm.com>
	Fri, 28 Jun 2019 02:19:28 +0000 (23:19 -0300)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Mon, 5 Aug 2019 22:40:21 +0000 (18:40 -0400)
commit	9044d627fd18f9fca49b62d4619ee14914b91464
tree	db035dc7773f8b8509f87115f510ed340aef7b52	tree
parent	cf38fed1e183dd2410f62d49ae635fe593082f0c	commit \| diff

ima: Add modsig appraise_type option for module-style appended signatures

Introduce the modsig keyword to the IMA policy syntax to specify that
a given hook should expect the file to have the IMA signature appended
to it. Here is how it can be used in a rule:

appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig

With this rule, IMA will accept either a signature stored in the extended
attribute or an appended signature.

For now, the rule above will behave exactly the same as if
appraise_type=imasig was specified. The actual modsig implementation
will be introduced separately.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Documentation/ABI/testing/ima_policy		diff \| blob \| blame \| history
security/integrity/ima/Kconfig		diff \| blob \| blame \| history
security/integrity/ima/Makefile		diff \| blob \| blame \| history
security/integrity/ima/ima.h		diff \| blob \| blame \| history
security/integrity/ima/ima_modsig.c	[new file with mode: 0644]	blob
security/integrity/ima/ima_policy.c		diff \| blob \| blame \| history
security/integrity/integrity.h		diff \| blob \| blame \| history