diff options
author | Mimi Zohar <zohar@linux.ibm.com> | 2021-12-23 20:29:56 +0300 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2022-05-05 18:49:13 +0300 |
commit | 54f03916fb892441f9a9b579db9ad7925cdeb395 (patch) | |
tree | 0fdee8270399ff57636479db46d5d37044373608 /security/integrity/integrity.h | |
parent | 989dc72511f7b57b94b42eabfcbe79d9070de6e3 (diff) | |
download | linux-54f03916fb892441f9a9b579db9ad7925cdeb395.tar.xz |
ima: permit fsverity's file digests in the IMA measurement list
Permit fsverity's file digest (a hash of struct fsverity_descriptor) to
be included in the IMA measurement list, based on the new measurement
policy rule 'digest_type=verity' option.
To differentiate between a regular IMA file hash from an fsverity's
file digest, use the new d-ngv2 format field included in the ima-ngv2
template.
The following policy rule requires fsverity file digests and specifies
the new 'ima-ngv2' template, which contains the new 'd-ngv2' field. The
policy rule may be constrained, for example based on a fsuuid or LSM
label.
measure func=FILE_CHECK digest_type=verity template=ima-ngv2
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/integrity.h')
-rw-r--r-- | security/integrity/integrity.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 3510e413ea17..04e2b99cd912 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -40,6 +40,7 @@ #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000 #define IMA_MODSIG_ALLOWED 0x20000000 #define IMA_CHECK_BLACKLIST 0x40000000 +#define IMA_VERITY_REQUIRED 0x80000000 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ IMA_HASH | IMA_APPRAISE_SUBMASK) |