diff options
| author | Kamlesh Kumar <kamlesh0hrs@gmail.com> | 2026-04-24 14:39:46 +0300 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2026-04-27 14:24:07 +0300 |
| commit | 398ee113f15c1e8e62535e54f22fb4db340c7835 (patch) | |
| tree | 82691ac606b0694328dbcdbeca55190f10f1289e /include/linux/timerqueue.h | |
| parent | 254f49634ee16a731174d2ae34bc50bd5f45e731 (diff) | |
| download | linux-398ee113f15c1e8e62535e54f22fb4db340c7835.tar.xz | |
ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG
ima_get_hash_algo() only recognizes version 2 signatures when the xattr
type is EVM_IMA_XATTR_DIGSIG. Since sigv3 signatures also use
EVM_IMA_XATTR_DIGSIG as the xattr type, version 3 must be accepted as
well to correctly determine the hash algorithm.
Additionally, ima_validate_rule() does not include IMA_SIGV3_REQUIRED in
the allowed flags bitmask for MODULE_CHECK, KEXEC_KERNEL_CHECK, and
KEXEC_INITRAMFS_CHECK hook functions. As a result, policy rules with
"appraise_type=sigv3" are rejected for these functions.
Add version 3 to the accepted versions in ima_get_hash_algo() for
EVM_IMA_XATTR_DIGSIG, and add IMA_SIGV3_REQUIRED to the allowed flags
for MODULE_CHECK, KEXEC_KERNEL_CHECK, and KEXEC_INITRAMFS_CHECK in
ima_validate_rule().
Signed-off-by: Kamlesh Kumar <kam@juniper.net>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Fixes: de4c44a7f559 ("ima: add support to require IMA sigv3 signatures")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'include/linux/timerqueue.h')
0 files changed, 0 insertions, 0 deletions