diff options
| author | Tyler Hicks <tyhicks@linux.microsoft.com> | 2020-07-09 01:19:09 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2020-07-20 13:28:15 -0400 |
| commit | 30031b0ec8aef903ebede41f43a8d021f0030499 (patch) | |
| tree | 38e042636b5c97028ff7746e68e48b64e8dc86d1 /security/integrity/ima/ima_modsig.c | |
| parent | aa0c0227d331719052cf14a3c10e99a12818d81b (diff) | |
ima: Move comprehensive rule validation checks out of the token parser
Use ima_validate_rule(), at the end of the token parsing stage, to
verify combinations of actions, hooks, and flags. This is useful to
increase readability by consolidating such checks into a single function
and also because rule conditionals can be specified in arbitrary order
making it difficult to do comprehensive rule validation until the entire
rule has been parsed.
This allows for the check that ties together the "keyrings" conditional
with the KEY_CHECK function hook to be moved into the final rule
validation.
The modsig check no longer needs to compiled conditionally because the
token parser will ensure that modsig support is enabled before accepting
"imasig|modsig" appraise type values. The final rule validation will
ensure that appraise_type and appraise_flag options are only present in
appraise rules.
Finally, this allows for the check that ties together the "pcr"
conditional with the measure action to be moved into the final rule
validation.
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_modsig.c')
| -rw-r--r-- | security/integrity/ima/ima_modsig.c | 20 |
1 files changed, 0 insertions, 20 deletions
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c index d106885cc495..fb25723c65bc 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -32,26 +32,6 @@ struct modsig { u8 raw_pkcs7[]; }; -/** - * ima_hook_supports_modsig - can the policy allow modsig for this hook? - * - * modsig is only supported by hooks using ima_post_read_file(), because only - * they preload the contents of the file in a buffer. FILE_CHECK does that in - * some cases, but not when reached from vfs_open(). POLICY_CHECK can support - * it, but it's not useful in practice because it's a text file so deny. - */ -bool ima_hook_supports_modsig(enum ima_hooks func) -{ - switch (func) { - case KEXEC_KERNEL_CHECK: - case KEXEC_INITRAMFS_CHECK: - case MODULE_CHECK: - return true; - default: - return false; - } -} - /* * ima_read_modsig - Read modsig from buf. * |