ima: Implement support for module-style appended signatures

Implement the appraise_type=imasig|modsig option, allowing IMA to read and verify modsig signatures. In case a file has both an xattr signature and an appended modsig, IMA will only use the appended signature if the key used by the xattr signature isn't present in the IMA or platform keyring. Because modsig verification needs to convert from an integrity keyring id to the keyring itself, add an integrity_keyring_from_id() function in digsig.c so that integrity_modsig_verify() can use it. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Thiago Jung Bauermann <bauerman@linux.ibm.com> 2019-06-27 23:19:30 -0300
committer: Mimi Zohar <zohar@linux.ibm.com> 2019-08-05 18:40:23 -0400
commit: 39b07096364a42c516415d5f841069e885234e61 (patch)
tree: 5ab235d361dcf9671a715f4fa38259789fa68e3f /security/integrity/integrity.h
parent: a5fbeb615ca42f913ace3291d636e96feabcc545 (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 8c5736b68156..d9323d31a3a8 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -148,10 +148,13 @@ int integrity_kernel_read(struct file *file, loff_t offset,
 
 extern struct dentry *integrity_dir;
 
+struct modsig;
+
 #ifdef CONFIG_INTEGRITY_SIGNATURE
 
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 			    const char *digest, int digestlen);
+int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
 
 int __init integrity_init_keyring(const unsigned int id);
 int __init integrity_load_x509(const unsigned int id, const char *path);
@@ -166,6 +169,12 @@ static inline int integrity_digsig_verify(const unsigned int id,
 	return -EOPNOTSUPP;
 }
 
+static inline int integrity_modsig_verify(unsigned int id,
+					  const struct modsig *modsig)
+{
+	return -EOPNOTSUPP;
+}
+
 static inline int integrity_init_keyring(const unsigned int id)
 {
 	return 0;
@@ -191,6 +200,16 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig,
 }
 #endif
 
+#ifdef CONFIG_IMA_APPRAISE_MODSIG
+int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
+#else
+static inline int ima_modsig_verify(struct key *keyring,
+				    const struct modsig *modsig)
+{
+	return -EOPNOTSUPP;
+}
+#endif
+
 #ifdef CONFIG_IMA_LOAD_X509
 void __init ima_load_x509(void);
 #else
author	Thiago Jung Bauermann <bauerman@linux.ibm.com>	2019-06-27 23:19:30 -0300
committer	Mimi Zohar <zohar@linux.ibm.com>	2019-08-05 18:40:23 -0400
commit	39b07096364a42c516415d5f841069e885234e61 (patch)
tree	5ab235d361dcf9671a715f4fa38259789fa68e3f /security/integrity/integrity.h
parent	a5fbeb615ca42f913ace3291d636e96feabcc545 (diff)