hulk inclusion
category: feature
feature: IMA Digest Lists extension
bugzilla: 46797

-------------------------------------------------

Currently, IMA supports the appraise_type=imasig option in the policy to
require file signatures. This patch introduces the new option
appraise_type=meta_immutable to require that file metadata are signed and
immutable. This requirement can be satisfied by portable signatures and
by digest lists if they are marked as immutable.

The main purpose of this option is to ensure that file metadata are correct
at the time of access, so that policies relying on labels can be correctly
enforced. For example, requiring immutable metadata would prevent an
administrator from altering the label assigned to a process during
execve() by changing the label of the executable.
Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: NJason Yan <yanaijie@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>