mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-06 00:39:48 +00:00
9044d627fd
Introduce the modsig keyword to the IMA policy syntax to specify that a given hook should expect the file to have the IMA signature appended to it. Here is how it can be used in a rule: appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig With this rule, IMA will accept either a signature stored in the extended attribute or an appended signature. For now, the rule above will behave exactly the same as if appraise_type=imasig was specified. The actual modsig implementation will be introduced separately. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
31 lines
815 B
C
31 lines
815 B
C
// SPDX-License-Identifier: GPL-2.0+
|
|
/*
|
|
* IMA support for appraising module-style appended signatures.
|
|
*
|
|
* Copyright (C) 2019 IBM Corporation
|
|
*
|
|
* Author:
|
|
* Thiago Jung Bauermann <bauerman@linux.ibm.com>
|
|
*/
|
|
|
|
#include "ima.h"
|
|
|
|
/**
|
|
* ima_hook_supports_modsig - can the policy allow modsig for this hook?
|
|
*
|
|
* modsig is only supported by hooks using ima_post_read_file(), because only
|
|
* they preload the contents of the file in a buffer. FILE_CHECK does that in
|
|
* some cases, but not when reached from vfs_open(). POLICY_CHECK can support
|
|
* it, but it's not useful in practice because it's a text file so deny.
|
|
*/
|
|
bool ima_hook_supports_modsig(enum ima_hooks func)
|
|
{
|
|
switch (func) {
|
|
case KEXEC_KERNEL_CHECK:
|
|
case KEXEC_INITRAMFS_CHECK:
|
|
case MODULE_CHECK:
|
|
return true;
|
|
default:
|
|
return false;
|
|
}
|
|
}
|