diff options
author | Dmitry Kasatkin <dmitry.kasatkin@intel.com> | 2012-06-08 12:58:49 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-01-22 22:10:31 +0100 |
commit | 0e5a247cb37a97d843ef76d09d5f80deb7893ba3 (patch) | |
tree | 7206abaf6d20e69a89584046ed7dc9970ba2da12 /security/integrity/integrity.h | |
parent | ima: forbid write access to files with digital signatures (diff) | |
download | linux-0e5a247cb37a97d843ef76d09d5f80deb7893ba3.tar.xz linux-0e5a247cb37a97d843ef76d09d5f80deb7893ba3.zip |
ima: added policy support for 'security.ima' type
The 'security.ima' extended attribute may contain either the file data's
hash or a digital signature. This patch adds support for requiring a
specific extended attribute type. It extends the IMA policy with a new
keyword 'appraise_type=imasig'. (Default is hash.)
Changelog v2:
- Fixed Documentation/ABI/testing/ima_policy option syntax
Changelog v1:
- Differentiate between 'required' vs. 'actual' extended attribute
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/integrity.h')
-rw-r--r-- | security/integrity/integrity.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 0a298def5036..9334691b2b75 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -26,7 +26,9 @@ #define IMA_AUDITED 0x0080 /* iint cache flags */ +#define IMA_ACTION_FLAGS 0xff00 #define IMA_DIGSIG 0x0100 +#define IMA_DIGSIG_REQUIRED 0x0200 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT) #define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED \ |