From: Mimi Zohar <zohar@linux.ibm.com>
Date: Wed, 18 Aug 2021 14:18:29 +0000 (-0400)
Subject: Merge branch 'restrict-digest-alg-v8' into next-integrity
X-Git-Tag: v5.15~391^2~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d07eeeb8745973389e1d772b3b654f5860441589;p=platform%2Fkernel%2Flinux-starfive.git

Merge branch 'restrict-digest-alg-v8' into next-integrity

Taken from the cover letter "IMA: restrict the accepted digest
algorithms for the security.ima xattr":

Provide users the ability to restrict the algorithms accepted by
their system, both when writing/updating xattrs, and when appraising
files, while retaining a permissive behavior by default to preserve
backward compatibility.

To provide these features, alter the behavior of setxattr to
only accept hashes built in the kernel, instead of any hash listed
in the kernel (complete list crypto/hash_info.c). In addition, the
user can define in his IMA policy the list of digest algorithms
allowed for writing to the security.ima xattr. In that case,
only algorithms present in that list are accepted for writing.

In addition, users may opt-in to allowlist hash algorithms for
appraising thanks to the new 'appraise_algos' IMA policy option.
By default IMA will keep accepting any hash algorithm, but specifying
that option will make appraisal of files hashed with another algorithm
fail.

Link: https://lore.kernel.org/linux-integrity/20210816081056.24530-1-Simon.THOBY@viveris.fr/
---

d07eeeb8745973389e1d772b3b654f5860441589