Skip to content
Commit 5f3e9265 authored by Tyler Hicks's avatar Tyler Hicks Committed by Mimi Zohar
Browse files

ima: Fail rule parsing when appraise_flag=blacklist is unsupportable 



Verifying that a file hash is not blacklisted is currently only
supported for files with appended signatures (modsig).  In the future,
this might change.

For now, the "appraise_flag" option is only appropriate for appraise
actions and its "blacklist" value is only appropriate when
CONFIG_IMA_APPRAISE_MODSIG is enabled and "appraise_flag=blacklist" is
only appropriate when "appraise_type=imasig|modsig" is also present.
Make this clear at policy load so that IMA policy authors don't assume
that other uses of "appraise_flag=blacklist" are supported.

Fixes: 273df864 ("ima: Check against blacklisted hashes for files with modsig")
Signed-off-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
Reivewed-by: default avatarNayna Jain <nayna@linux.ibm.com>
Tested-by: default avatarNayna Jain <nayna@linux.ibm.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent eb624fe2
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment