ima: Add modsig appraise_type option for module-style appended signatures

			euid:= decimal value

			euid:= decimal value

			fowner:= decimal value

			fowner:= decimal value

		lsm:  	are LSM specific

		lsm:  	are LSM specific

		option:	appraise_type:= [imasig]

		option:	appraise_type:= [imasig] [imasig|modsig]

			template:= name of a defined IMA template type

			template:= name of a defined IMA template type

			(eg, ima-ng). Only valid when action is "measure".

			(eg, ima-ng). Only valid when action is "measure".

			pcr:= decimal value

			pcr:= decimal value

			measure func=KEXEC_KERNEL_CHECK pcr=4

			measure func=KEXEC_KERNEL_CHECK pcr=4

			measure func=KEXEC_INITRAMFS_CHECK pcr=5

			measure func=KEXEC_INITRAMFS_CHECK pcr=5

		Example of appraise rule allowing modsig appended signatures:

			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig

	  This option enables the different "ima_appraise=" modes

	  This option enables the different "ima_appraise=" modes

	  (eg. fix, log) from the boot command line.

	  (eg. fix, log) from the boot command line.

config IMA_APPRAISE_MODSIG

	bool "Support module-style signatures for appraisal"

	depends on IMA_APPRAISE

	default n

	help

	   Adds support for signatures appended to files. The format of the

	   appended signature is the same used for signed kernel modules.

	   The modsig keyword can be used in the IMA policy to allow a hook

	   to accept such signatures.

config IMA_TRUSTED_KEYRING

config IMA_TRUSTED_KEYRING

	bool "Require all keys on the .ima keyring be signed (deprecated)"

	bool "Require all keys on the .ima keyring be signed (deprecated)"

	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING

	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING

ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \

ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \

	 ima_policy.o ima_template.o ima_template_lib.o

	 ima_policy.o ima_template.o ima_template_lib.o

ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o

ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o

ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o

ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o

ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o

obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o

obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o

#endif /* CONFIG_IMA_APPRAISE */

#endif /* CONFIG_IMA_APPRAISE */

#ifdef CONFIG_IMA_APPRAISE_MODSIG

bool ima_hook_supports_modsig(enum ima_hooks func);

#else

static inline bool ima_hook_supports_modsig(enum ima_hooks func)

{

	return false;

}

#endif /* CONFIG_IMA_APPRAISE_MODSIG */

/* LSM based policy rules require audit */

/* LSM based policy rules require audit */

#ifdef CONFIG_IMA_LSM_RULES

#ifdef CONFIG_IMA_LSM_RULES

// SPDX-License-Identifier: GPL-2.0+

/*

 * IMA support for appraising module-style appended signatures.

 *

 * Copyright (C) 2019  IBM Corporation

 *

 * Author:

 * Thiago Jung Bauermann <bauerman@linux.ibm.com>

 */

#include "ima.h"

/**

 * ima_hook_supports_modsig - can the policy allow modsig for this hook?

 *

 * modsig is only supported by hooks using ima_post_read_file(), because only

 * they preload the contents of the file in a buffer. FILE_CHECK does that in

 * some cases, but not when reached from vfs_open(). POLICY_CHECK can support

 * it, but it's not useful in practice because it's a text file so deny.

 */

bool ima_hook_supports_modsig(enum ima_hooks func)

{

	switch (func) {

	case KEXEC_KERNEL_CHECK:

	case KEXEC_INITRAMFS_CHECK:

	case MODULE_CHECK:

		return true;

	default:

		return false;

	}

}