ima: added policy support for 'security.ima' type The 'security.ima' extended attribute may contain either the file data's hash or a digital signature. This patch adds support for requiring a specific extended attribute type. It extends the IMA policy with a new keyword 'appraise_type=imasig'. (Default is hash.) Changelog v2: - Fixed Documentation/ABI/testing/ima_policy option syntax Changelog v1: - Differentiate between 'required' vs. 'actual' extended attribute Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

commit: 0e5a247cb37a97d843ef76d09d5f80deb7893ba3 [log] [tgz]
author: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Fri Jun 08 13:58:49 2012 +0300
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> Tue Jan 22 16:10:31 2013 -0500
tree: 7206abaf6d20e69a89584046ed7dc9970ba2da12
parent: a175b8bb29ebbad380ab4788f307fbfc47997b19 [diff] [blame]
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index fa675c9..8004332 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c

@@ -102,6 +102,11 @@
 
 	switch (xattr_value->type) {
 	case IMA_XATTR_DIGEST:
+		if (iint->flags & IMA_DIGSIG_REQUIRED) {
+			cause = "IMA signature required";
+			status = INTEGRITY_FAIL;
+			break;
+		}
 		rc = memcmp(xattr_value->digest, iint->ima_xattr.digest,
 			    IMA_DIGEST_SIZE);
 		if (rc) {
commit	0e5a247cb37a97d843ef76d09d5f80deb7893ba3	[log] [tgz]
author	Dmitry Kasatkin <dmitry.kasatkin@intel.com>	Fri Jun 08 13:58:49 2012 +0300
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	Tue Jan 22 16:10:31 2013 -0500
tree	7206abaf6d20e69a89584046ed7dc9970ba2da12
parent	a175b8bb29ebbad380ab4788f307fbfc47997b19 [diff] [blame]