diff options
| author |   Mimi Zohar <zohar@linux.ibm.com> | 2021-12-23 12:29:56 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2022-05-05 11:49:13 -0400 |
| commit | 54f03916fb892441f9a9b579db9ad7925cdeb395 (patch) | |
| tree | 0fdee8270399ff57636479db46d5d37044373608 /security/integrity/ima/ima_main.c | |
| parent | ima: define a new template field named 'd-ngv2' and templates (diff) | |
| download | linux-dev-54f03916fb892441f9a9b579db9ad7925cdeb395.tar.xz linux-dev-54f03916fb892441f9a9b579db9ad7925cdeb395.zip | |
ima: permit fsverity's file digests in the IMA measurement list
Permit fsverity's file digest (a hash of struct fsverity_descriptor) to
be included in the IMA measurement list, based on the new measurement
policy rule 'digest_type=verity' option.
To differentiate between a regular IMA file hash from an fsverity's
file digest, use the new d-ngv2 format field included in the ima-ngv2
template.
The following policy rule requires fsverity file digests and specifies
the new 'ima-ngv2' template, which contains the new 'd-ngv2' field. The
policy rule may be constrained, for example based on a fsuuid or LSM
label.
measure func=FILE_CHECK digest_type=verity template=ima-ngv2
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_main.c')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 1aebf63ad7a6..040b03ddc1c7 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -335,7 +335,7 @@ static int process_measurement(struct file *file, const struct cred *cred, hash_algo = ima_get_hash_algo(xattr_value, xattr_len); rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig); - if (rc != 0 && rc != -EBADF && rc != -EINVAL) + if (rc == -ENOMEM) goto out_locked; if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ |