8b68150883
Pull integrity updates from Mimi Zohar:
"Bug fixes, code clean up, and new features:
- IMA policy rules can be defined in terms of LSM labels, making the
IMA policy dependent on LSM policy label changes, in particular LSM
label deletions. The new environment, in which IMA-appraisal is
being used, frequently updates the LSM policy and permits LSM label
deletions.
- Prevent an mmap'ed shared file opened for write from also being
mmap'ed execute. In the long term, making this and other similar
changes at the VFS layer would be preferable.
- The IMA per policy rule template format support is needed for a
couple of new/proposed features (eg. kexec boot command line
measurement, appended signatures, and VFS provided file hashes).
- Other than the "boot-aggregate" record in the IMA measuremeent
list, all other measurements are of file data. Measuring and
storing the kexec boot command line in the IMA measurement list is
the first buffer based measurement included in the measurement
list"
* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
integrity: Introduce struct evm_xattr
ima: Update MAX_TEMPLATE_NAME_LEN to fit largest reasonable definition
KEXEC: Call ima_kexec_cmdline to measure the boot command line args
IMA: Define a new template field buf
IMA: Define a new hook to measure the kexec boot command line arguments
IMA: support for per policy rule template formats
integrity: Fix __integrity_init_keyring() section mismatch
ima: Use designated initializers for struct ima_event_data
ima: use the lsm policy update notifier
LSM: switch to blocking policy update notifiers
x86/ima: fix the Kconfig dependency for IMA_ARCH_POLICY
ima: Make arch_policy_entry static
ima: prevent a file already mmap'ed write to be mmap'ed execute
x86/ima: check EFI SetupMode too
46 lines
1.9 KiB
C
46 lines
1.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* Copyright (C) 2013 Politecnico di Torino, Italy
|
|
* TORSEC group -- http://security.polito.it
|
|
*
|
|
* Author: Roberto Sassu <roberto.sassu@polito.it>
|
|
*
|
|
* File: ima_template_lib.h
|
|
* Header for the library of supported template fields.
|
|
*/
|
|
#ifndef __LINUX_IMA_TEMPLATE_LIB_H
|
|
#define __LINUX_IMA_TEMPLATE_LIB_H
|
|
|
|
#include <linux/seq_file.h>
|
|
#include "ima.h"
|
|
|
|
#define ENFORCE_FIELDS 0x00000001
|
|
#define ENFORCE_BUFEND 0x00000002
|
|
|
|
void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
void ima_show_template_buf(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp,
|
|
int maxfields, struct ima_field_data *fields, int *curfields,
|
|
unsigned long *len_mask, int enforce_mask, char *bufname);
|
|
int ima_eventdigest_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventname_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventdigest_ng_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventname_ng_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventsig_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventbuf_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
#endif /* __LINUX_IMA_TEMPLATE_LIB_H */
|