path: root/security/integrity/integrity.h
diff options
authorDmitry Kasatkin <dmitry.kasatkin@intel.com>2011-08-31 14:07:06 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2012-09-07 14:57:48 -0400
commit8606404fa555c2ee691376fcc640ab89fe752035 (patch)
tree4b2d2e43b7ad196b46757faff10d04803381a543 /security/integrity/integrity.h
parent5a44b41207174e1882ce0c24a752f4cfb65dab07 (diff)
ima: digital signature verification support
This patch adds support for digital signature based integrity appraisal. With this patch, 'security.ima' contains either the file data hash or a digital signature of the file data hash. The file data hash provides the security attribute of file integrity. In addition to file integrity, a digital signature provides the security attribute of authenticity. Unlike EVM, when the file metadata changes, the digital signature is replaced with an HMAC, modification of the file data does not cause the 'security.ima' digital signature to be replaced with a hash. As a result, after any modification, subsequent file integrity appraisals would fail. Although digitally signed files can be modified, but by not updating 'security.ima' to reflect these modifications, in essence digitally signed files could be considered 'immutable'. IMA uses a different keyring than EVM. While the EVM keyring should not be updated after initialization and locked, the IMA keyring should allow updating or adding new keys when upgrading or installing packages. Changelog v4: - Change IMA_DIGSIG to hex equivalent Changelog v3: - Permit files without any 'security.ima' xattr to be labeled properly. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/integrity.h')
1 files changed, 1 insertions, 0 deletions
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 91ccef1c704b..4eec1b14193e 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -21,6 +21,7 @@
#define IMA_APPRAISE 0x04
#define IMA_APPRAISED 0x08
#define IMA_COLLECTED 0x10
+#define IMA_DIGSIG 0x20
enum evm_ima_xattr_type {