On Wed, 2021-08-04 at 09:20 +0000, THOBY Simon wrote: > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy > index 070779e8d836..aeb622698047 100644 > --- a/Documentation/ABI/testing/ima_policy > +++ b/Documentation/ABI/testing/ima_policy > @@ -27,7 +27,7 @@ Description: > lsm: [[subj_user=] [subj_role=] [subj_type=] > [obj_user=] [obj_role=] [obj_type=]] > option: [[appraise_type=]] [template=] [permit_directio] > - [appraise_flag=] [keyrings=] > + [appraise_flag=] [appraise_hash=] [keyrings=] Continuing the suggestion from 3/5, perhaps the new option should be named "appraise_algo=". > base: > func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] > [FIRMWARE_CHECK] > @@ -55,6 +55,10 @@ Description: > label:= [selinux]|[kernel_info]|[data_label] > data_label:= a unique string used for grouping and limiting critical data. > For example, "selinux" to measure critical data for SELinux. > + appraise_hash:= comma-separated list of hash algorithms > + For example, "sha256,sha512" to only accept to appraise > + files where the security.ima xattr was hashed with one > + of these two algorithms. > > default policy: > # PROC_SUPER_MAGIC thanks, Mimi
