diff options
| author | Mimi Zohar <zohar@linux.ibm.com> | 2018-11-14 17:24:13 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2018-12-11 07:19:46 -0500 |
| commit | 060190fbe676268a04a80d5f4b426fc3db9c2401 (patch) | |
| tree | 1183ef3c2681e9ffb113a661f70b839c06d45ac6 /security | |
| parent | 399574c64eaf94e82b7cf056978d7e68748c0f1d (diff) | |
ima: don't measure/appraise files on efivarfs
Update the builtin IMA policies specified on the boot command line
(eg. ima_policy="tcb|appraise_tcb") to permit accessing efivar files.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index b20770704b6c..d17a23b5c91d 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -107,7 +107,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { | |||
| 107 | .flags = IMA_FSMAGIC}, | 107 | .flags = IMA_FSMAGIC}, |
| 108 | {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, | 108 | {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, |
| 109 | .flags = IMA_FSMAGIC}, | 109 | .flags = IMA_FSMAGIC}, |
| 110 | {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC} | 110 | {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, |
| 111 | {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} | ||
| 111 | }; | 112 | }; |
| 112 | 113 | ||
| 113 | static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { | 114 | static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { |
| @@ -150,6 +151,7 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { | |||
| 150 | {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, | 151 | {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, |
| 151 | {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, | 152 | {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, |
| 152 | {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, | 153 | {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, |
| 154 | {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, | ||
| 153 | {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, | 155 | {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, |
| 154 | {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, | 156 | {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, |
| 155 | #ifdef CONFIG_IMA_WRITE_POLICY | 157 | #ifdef CONFIG_IMA_WRITE_POLICY |