1*9044d627SThiago Jung Bauermann // SPDX-License-Identifier: GPL-2.0+ 2*9044d627SThiago Jung Bauermann /* 3*9044d627SThiago Jung Bauermann * IMA support for appraising module-style appended signatures. 4*9044d627SThiago Jung Bauermann * 5*9044d627SThiago Jung Bauermann * Copyright (C) 2019 IBM Corporation 6*9044d627SThiago Jung Bauermann * 7*9044d627SThiago Jung Bauermann * Author: 8*9044d627SThiago Jung Bauermann * Thiago Jung Bauermann <bauerman@linux.ibm.com> 9*9044d627SThiago Jung Bauermann */ 10*9044d627SThiago Jung Bauermann 11*9044d627SThiago Jung Bauermann #include "ima.h" 12*9044d627SThiago Jung Bauermann 13*9044d627SThiago Jung Bauermann /** 14*9044d627SThiago Jung Bauermann * ima_hook_supports_modsig - can the policy allow modsig for this hook? 15*9044d627SThiago Jung Bauermann * 16*9044d627SThiago Jung Bauermann * modsig is only supported by hooks using ima_post_read_file(), because only 17*9044d627SThiago Jung Bauermann * they preload the contents of the file in a buffer. FILE_CHECK does that in 18*9044d627SThiago Jung Bauermann * some cases, but not when reached from vfs_open(). POLICY_CHECK can support 19*9044d627SThiago Jung Bauermann * it, but it's not useful in practice because it's a text file so deny. 20*9044d627SThiago Jung Bauermann */ 21*9044d627SThiago Jung Bauermann bool ima_hook_supports_modsig(enum ima_hooks func) 22*9044d627SThiago Jung Bauermann { 23*9044d627SThiago Jung Bauermann switch (func) { 24*9044d627SThiago Jung Bauermann case KEXEC_KERNEL_CHECK: 25*9044d627SThiago Jung Bauermann case KEXEC_INITRAMFS_CHECK: 26*9044d627SThiago Jung Bauermann case MODULE_CHECK: 27*9044d627SThiago Jung Bauermann return true; 28*9044d627SThiago Jung Bauermann default: 29*9044d627SThiago Jung Bauermann return false; 30*9044d627SThiago Jung Bauermann } 31*9044d627SThiago Jung Bauermann } 32