diff options
author | Thiago Jung Bauermann <bauerman@linux.ibm.com> | 2019-06-27 23:19:30 -0300 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-08-05 18:40:23 -0400 |
commit | 39b07096364a42c516415d5f841069e885234e61 (patch) | |
tree | 5ab235d361dcf9671a715f4fa38259789fa68e3f /security/integrity/ima/ima_policy.c | |
parent | a5fbeb615ca42f913ace3291d636e96feabcc545 (diff) | |
download | linux-39b07096364a42c516415d5f841069e885234e61.tar.gz linux-39b07096364a42c516415d5f841069e885234e61.tar.bz2 linux-39b07096364a42c516415d5f841069e885234e61.zip |
ima: Implement support for module-style appended signatures
Implement the appraise_type=imasig|modsig option, allowing IMA to read and
verify modsig signatures.
In case a file has both an xattr signature and an appended modsig, IMA will
only use the appended signature if the key used by the xattr signature
isn't present in the IMA or platform keyring.
Because modsig verification needs to convert from an integrity keyring id
to the keyring itself, add an integrity_keyring_from_id() function in
digsig.c so that integrity_modsig_verify() can use it.
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_policy.c')
-rw-r--r-- | security/integrity/ima/ima_policy.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 5b6061d6bce0..873dd7edaa78 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1258,6 +1258,12 @@ void ima_delete_rules(void) } } +#define __ima_hook_stringify(str) (#str), + +const char *const func_tokens[] = { + __ima_hooks(__ima_hook_stringify) +}; + #ifdef CONFIG_IMA_READ_POLICY enum { mask_exec = 0, mask_write, mask_read, mask_append @@ -1270,12 +1276,6 @@ static const char *const mask_tokens[] = { "^MAY_APPEND" }; -#define __ima_hook_stringify(str) (#str), - -static const char *const func_tokens[] = { - __ima_hooks(__ima_hook_stringify) -}; - void *ima_policy_start(struct seq_file *m, loff_t *pos) { loff_t l = *pos; |