On Mon, 2022-02-07 at 20:41 -0500, Mimi Zohar wrote:
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 28aca1f9633b..576cbe790e27 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1728,10 +1728,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> break;
> case Opt_digest_type:
> ima_log_string(ab, "digest_type", args[0].from);
> - if ((strcmp(args[0].from, "verity")) == 0)
> + if ((strcmp(args[0].from, "verity")) == 0) {
> entry->flags |= IMA_VERITY_REQUIRED;
> - else
> + if (entry->action == APPRAISE)
> + entry->flags |= IMA_DIGSIG_REQUIRED;
Instead of overloading the "digest_type=verity" to require a signature,
extend the existing "appraise_type" to support signature v3 (e.g.
appraise_type=sigv3). This will simplify IMA signature v3 support in
the future.
> + } else {
> result = -EINVAL;
> + }
> break;
> case Opt_appraise_type:
> ima_log_string(ab, "appraise_type", args[0].from);
>
--
thanks,
Mimi
