summaryrefslogtreecommitdiff
path: root/security/integrity/ima/ima_appraise.c
diff options
context:
space:
mode:
authorMatthew Garrett <mjg59@google.com>2017-11-07 18:17:42 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2017-12-12 01:20:39 +0300
commit50b977481fce90aa5fbda55e330b9d722733e358 (patch)
treef7852b45d6d4207e37cd89c397905e1a7558c527 /security/integrity/ima/ima_appraise.c
parentae1ba1676b88e6c62368a433c7e2d0417e9879fd (diff)
downloadlinux-50b977481fce90aa5fbda55e330b9d722733e358.tar.xz
EVM: Add support for portable signature format
The EVM signature includes the inode number and (optionally) the filesystem UUID, making it impractical to ship EVM signatures in packages. This patch adds a new portable format intended to allow distributions to include EVM signatures. It is identical to the existing format but hardcodes the inode and generation numbers to 0 and does not include the filesystem UUID even if the kernel is configured to do so. Removing the inode means that the metadata and signature from one file could be copied to another file without invalidating it. This is avoided by ensuring that an IMA xattr is present during EVM validation. Portable signatures are intended to be immutable - ie, they will never be transformed into HMACs. Based on earlier work by Dmitry Kasatkin and Mikhail Kurinnoi. Signed-off-by: Matthew Garrett <mjg59@google.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Cc: Mikhail Kurinnoi <viewizard@viewizard.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_appraise.c')
-rw-r--r--security/integrity/ima/ima_appraise.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index d32e6a1d931a..084c19e45668 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -230,7 +230,9 @@ int ima_appraise_measurement(enum ima_hooks func,
}
status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
- if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
+ if ((status != INTEGRITY_PASS) &&
+ (status != INTEGRITY_PASS_IMMUTABLE) &&
+ (status != INTEGRITY_UNKNOWN)) {
if ((status == INTEGRITY_NOLABEL)
|| (status == INTEGRITY_NOXATTRS))
cause = "missing-HMAC";