diff options
author | Thiago Jung Bauermann <bauerman@linux.ibm.com> | 2019-06-27 23:19:32 -0300 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-08-05 18:40:25 -0400 |
commit | 3878d505aa718bcc7b1eb4089ab9b9fb27dee957 (patch) | |
tree | 94bf31dc35114d22a2c87906106074cdcb4bd021 /Documentation/security/IMA-templates.rst | |
parent | 15588227e086ec662d59df144e48af82e3e592f1 (diff) | |
download | linux-stable-3878d505aa718bcc7b1eb4089ab9b9fb27dee957.tar.gz linux-stable-3878d505aa718bcc7b1eb4089ab9b9fb27dee957.tar.bz2 linux-stable-3878d505aa718bcc7b1eb4089ab9b9fb27dee957.zip |
ima: Define ima-modsig template
Define new "d-modsig" template field which holds the digest that is
expected to match the one contained in the modsig, and also new "modsig"
template field which holds the appended file signature.
Add a new "ima-modsig" defined template descriptor with the new fields as
well as the ones from the "ima-sig" descriptor.
Change ima_store_measurement() to accept a struct modsig * argument so that
it can be passed along to the templates via struct ima_event_data.
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'Documentation/security/IMA-templates.rst')
-rw-r--r-- | Documentation/security/IMA-templates.rst | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst index 3d1cca287aa4..c5a8432972ef 100644 --- a/Documentation/security/IMA-templates.rst +++ b/Documentation/security/IMA-templates.rst @@ -68,8 +68,10 @@ descriptors by adding their identifier to the format string - 'd-ng': the digest of the event, calculated with an arbitrary hash algorithm (field format: [<hash algo>:]digest, where the digest prefix is shown only if the hash algorithm is not SHA1 or MD5); + - 'd-modsig': the digest of the event without the appended modsig; - 'n-ng': the name of the event, without size limitations; - 'sig': the file signature; + - 'modsig' the appended file signature; - 'buf': the buffer data that was used to generate the hash without size limitations; @@ -79,6 +81,7 @@ Below, there is the list of defined template descriptors: - "ima-ng" (default): its format is ``d-ng|n-ng``; - "ima-sig": its format is ``d-ng|n-ng|sig``; - "ima-buf": its format is ``d-ng|n-ng|buf``; + - "ima-modsig": its format is ``d-ng|n-ng|sig|d-modsig|modsig``; Use |