IMA: add support to restrict the hash algorithms used for file appraisal

The kernel accepts any hash algorithm as a value for the security.ima xattr. Users may wish to restrict the accepted algorithms to only support strong cryptographic ones. Provide the plumbing to restrict the permitted set of hash algorithms used for verifying file hashes and signatures stored in security.ima xattr. Signed-off-by: THOBY Simon <[email protected]> Reviewed-by: Lakshmi Ramasubramanian <[email protected]> Signed-off-by: Mimi Zohar <[email protected]>
author: THOBY Simon <[email protected]> 2021-08-16 08:11:00 +0000
committer: Mimi Zohar <[email protected]> 2021-08-16 17:30:41 -0400
commit: 1624dc0086056c3a35fd34b0235bb1eb88c1c4d5 (patch)
tree: 5b2d3eb0600d257add0a38841c7af1c275b7c540 /security/integrity/ima/ima_appraise.c
parent: 50f742dd91474e7f4954bf88d094eede59783883 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index baeb10efbf51..e2edef8a9185 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -77,8 +77,9 @@ int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
 		return 0;
 
 	security_task_getsecid_subj(current, &secid);
-	return ima_match_policy(mnt_userns, inode, current_cred(), secid, func,
-				mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL);
+	return ima_match_policy(mnt_userns, inode, current_cred(), secid,
+				func, mask, IMA_APPRAISE | IMA_HASH, NULL,
+				NULL, NULL, NULL);
 }
 
 static int ima_fix_xattr(struct dentry *dentry,
author	THOBY Simon <[email protected]>	2021-08-16 08:11:00 +0000
committer	Mimi Zohar <[email protected]>	2021-08-16 17:30:41 -0400
commit	1624dc0086056c3a35fd34b0235bb1eb88c1c4d5 (patch)
tree	5b2d3eb0600d257add0a38841c7af1c275b7c540 /security/integrity/ima/ima_appraise.c
parent	50f742dd91474e7f4954bf88d094eede59783883 (diff)