ima: Add modsig appraise_type option for module-style appended signatures

Introduce the modsig keyword to the IMA policy syntax to specify that a given hook should expect the file to have the IMA signature appended to it. Here is how it can be used in a rule: appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig With this rule, IMA will accept either a signature stored in the extended attribute or an appended signature. For now, the rule above will behave exactly the same as if appraise_type=imasig was specified. The actual modsig implementation will be introduced separately. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Thiago Jung Bauermann <bauerman@linux.ibm.com> 2019-06-27 23:19:28 -0300
committer: Mimi Zohar <zohar@linux.ibm.com> 2019-08-05 18:40:21 -0400
commit: 9044d627fd18f9fca49b62d4619ee14914b91464 (patch)
tree: db035dc7773f8b8509f87115f510ed340aef7b52 /security/integrity/ima/Makefile
parent: cf38fed1e183dd2410f62d49ae635fe593082f0c (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index d921dc4f9eb0..31d57cdf2421 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -9,5 +9,6 @@ obj-$(CONFIG_IMA) += ima.o
 ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
 	 ima_policy.o ima_template.o ima_template_lib.o
 ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
+ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o
 ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o
 obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o
author	Thiago Jung Bauermann <bauerman@linux.ibm.com>	2019-06-27 23:19:28 -0300
committer	Mimi Zohar <zohar@linux.ibm.com>	2019-08-05 18:40:21 -0400
commit	9044d627fd18f9fca49b62d4619ee14914b91464 (patch)
tree	db035dc7773f8b8509f87115f510ed340aef7b52 /security/integrity/ima/Makefile
parent	cf38fed1e183dd2410f62d49ae635fe593082f0c (diff)