Merge tag 'integrity-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

		1	  Enable digital signature validation

		2	  Permit modification of EVM-protected metadata at

			  runtime. Not supported if HMAC validation and

			  creation is enabled.

			  creation is enabled (deprecated).

		31	  Disable further runtime modification of EVM policy

		===	  ==================================================

		will enable digital signature validation, permit

		modification of EVM-protected metadata and

		disable all further modification of policy

		disable all further modification of policy. This option is now

		deprecated in favor of::

		Note that once a key has been loaded, it will no longer be

		possible to enable metadata modification.

		  echo 0x80000002 ><securityfs>/evm

		as the outstanding issues that prevent the usage of EVM portable

		signatures have been solved.

		Echoing a value is additive, the new value is added to the

		existing initialization flags.

		For example, after::

		  echo 2 ><securityfs>/evm

		another echo can be performed::

		  echo 1 ><securityfs>/evm

		and the resulting value will be 3.

		Note that once an HMAC key has been loaded, it will no longer

		be possible to enable metadata modification. Signaling that an

		HMAC key has been loaded will clear the corresponding flag.

		For example, if the current value is 6 (2 and 4 set)::

		  echo 1 ><securityfs>/evm

		will set the new value to 3 (4 cleared).

		Loading an HMAC key is the only way to disable metadata

		modification.

		Until key loading has been signaled EVM can not create

		or validate the 'security.evm' xattr, but returns

   prefix is shown only if the hash algorithm is not SHA1 or MD5);

 - 'd-modsig': the digest of the event without the appended modsig;

 - 'n-ng': the name of the event, without size limitations;

 - 'sig': the file signature;

 - 'sig': the file signature, or the EVM portable signature if the file

   signature is not found;

 - 'modsig' the appended file signature;

 - 'buf': the buffer data that was used to generate the hash without size limitations;

 - 'evmsig': the EVM portable signature;

 - 'iuid': the inode UID;

 - 'igid': the inode GID;

 - 'imode': the inode mode;

 - 'xattrnames': a list of xattr names (separated by ``|``), only if the xattr is

    present;

 - 'xattrlengths': a list of xattr lengths (u32), only if the xattr is present;

 - 'xattrvalues': a list of xattr values;

Below, there is the list of defined template descriptors:

 - "ima-sig": its format is ``d-ng|n-ng|sig``;

 - "ima-buf": its format is ``d-ng|n-ng|buf``;

 - "ima-modsig": its format is ``d-ng|n-ng|sig|d-modsig|modsig``;

 - "evm-sig": its format is ``d-ng|n-ng|evmsig|xattrnames|xattrlengths|xattrvalues|iuid|igid|imode``;

Use

					     struct integrity_iint_cache *iint);

extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr);

extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);

extern int evm_inode_setxattr(struct dentry *dentry, const char *name,

extern int evm_inode_setxattr(struct user_namespace *mnt_userns,

			      struct dentry *dentry, const char *name,

			      const void *value, size_t size);

extern void evm_inode_post_setxattr(struct dentry *dentry,

				    const char *xattr_name,

				    const void *xattr_value,

				    size_t xattr_value_len);

extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name);

extern int evm_inode_removexattr(struct user_namespace *mnt_userns,

				 struct dentry *dentry, const char *xattr_name);

extern void evm_inode_post_removexattr(struct dentry *dentry,

				       const char *xattr_name);

extern int evm_inode_init_security(struct inode *inode,

				   const struct xattr *xattr_array,

				   struct xattr *evm);

extern bool evm_revalidate_status(const char *xattr_name);

extern int evm_protected_xattr_if_enabled(const char *req_xattr_name);

extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,

				     int buffer_size, char type,

				     bool canonical_fmt);

#ifdef CONFIG_FS_POSIX_ACL

extern int posix_xattr_acl(const char *xattrname);

#else

	return;

}

static inline int evm_inode_setxattr(struct dentry *dentry, const char *name,

static inline int evm_inode_setxattr(struct user_namespace *mnt_userns,

				     struct dentry *dentry, const char *name,

				     const void *value, size_t size)

{

	return 0;

	return;

}

static inline int evm_inode_removexattr(struct dentry *dentry,

static inline int evm_inode_removexattr(struct user_namespace *mnt_userns,

					struct dentry *dentry,

					const char *xattr_name)

{

	return 0;

	return 0;

}

static inline bool evm_revalidate_status(const char *xattr_name)

{

	return false;

}

static inline int evm_protected_xattr_if_enabled(const char *req_xattr_name)

{

	return false;

}

static inline int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,

					    int buffer_size, char type,

					    bool canonical_fmt)

{

	return -EOPNOTSUPP;

}

#endif /* CONFIG_EVM */

#endif /* LINUX_EVM_H */

	INTEGRITY_PASS = 0,

	INTEGRITY_PASS_IMMUTABLE,

	INTEGRITY_FAIL,

	INTEGRITY_FAIL_IMMUTABLE,

	INTEGRITY_NOLABEL,

	INTEGRITY_NOXATTRS,

	INTEGRITY_UNKNOWN,

struct xattr_list {

	struct list_head list;

	char *name;

	bool enabled;

};

extern int evm_initialized;