git.osdn.net Git - tomoyo/tomoyo-test1.git/commit

author	Mimi Zohar <zohar@linux.ibm.com>
	Thu, 23 Dec 2021 17:29:56 +0000 (12:29 -0500)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Thu, 5 May 2022 15:49:13 +0000 (11:49 -0400)
commit	54f03916fb892441f9a9b579db9ad7925cdeb395
tree	0fdee8270399ff57636479db46d5d37044373608	tree \| snapshot
parent	989dc72511f7b57b94b42eabfcbe79d9070de6e3	commit \| diff

ima: permit fsverity's file digests in the IMA measurement list

Permit fsverity's file digest (a hash of struct fsverity_descriptor) to
be included in the IMA measurement list, based on the new measurement
policy rule 'digest_type=verity' option.

To differentiate between a regular IMA file hash from an fsverity's
file digest, use the new d-ngv2 format field included in the ima-ngv2
template.

The following policy rule requires fsverity file digests and specifies
the new 'ima-ngv2' template, which contains the new 'd-ngv2' field. The
policy rule may be constrained, for example based on a fsuuid or LSM
label.

measure func=FILE_CHECK digest_type=verity template=ima-ngv2

Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Documentation/ABI/testing/ima_policy		diff \| blob \| history
Documentation/security/IMA-templates.rst		diff \| blob \| history
security/integrity/ima/ima_api.c		diff \| blob \| history
security/integrity/ima/ima_main.c		diff \| blob \| history
security/integrity/ima/ima_policy.c		diff \| blob \| history
security/integrity/ima/ima_template_lib.c		diff \| blob \| history
security/integrity/integrity.h		diff \| blob \| history