diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2017-04-24 12:04:09 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2017-06-21 14:37:12 -0400 |
| commit | 33ce9549cfa1e71d77bc91a2e67e65d693e2e53f (patch) | |
| tree | 8e52e9cd2498a07f27dc7f4a055c0b05a8c3567f | |
| parent | cdac74ddf28e2f07319cc89446f9dea35d22d999 (diff) | |
ima: extend the "ima_policy" boot command line to support multiple policies
Add support for providing multiple builtin policies on the "ima_policy="
boot command line. Use "|" as the delimitor separating the policy names.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| -rw-r--r-- | Documentation/admin-guide/kernel-parameters.txt | 17 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 15 |
2 files changed, 21 insertions, 11 deletions
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 15f79c27748d..9b4381fee877 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt | |||
| @@ -1477,12 +1477,17 @@ | |||
| 1477 | in crypto/hash_info.h. | 1477 | in crypto/hash_info.h. |
| 1478 | 1478 | ||
| 1479 | ima_policy= [IMA] | 1479 | ima_policy= [IMA] |
| 1480 | The builtin measurement policy to load during IMA | 1480 | The builtin policies to load during IMA setup. |
| 1481 | setup. Specyfing "tcb" as the value, measures all | 1481 | Format: "tcb | appraise_tcb" |
| 1482 | programs exec'd, files mmap'd for exec, and all files | 1482 | |
| 1483 | opened with the read mode bit set by either the | 1483 | The "tcb" policy measures all programs exec'd, files |
| 1484 | effective uid (euid=0) or uid=0. | 1484 | mmap'd for exec, and all files opened with the read |
| 1485 | Format: "tcb" | 1485 | mode bit set by either the effective uid (euid=0) or |
| 1486 | uid=0. | ||
| 1487 | |||
| 1488 | The "appraise_tcb" policy appraises the integrity of | ||
| 1489 | all files owned by root. (This is the equivalent | ||
| 1490 | of ima_appraise_tcb.) | ||
| 1486 | 1491 | ||
| 1487 | ima_tcb [IMA] Deprecated. Use ima_policy= instead. | 1492 | ima_tcb [IMA] Deprecated. Use ima_policy= instead. |
| 1488 | Load a policy which meets the needs of the Trusted | 1493 | Load a policy which meets the needs of the Trusted |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 3ab1067db624..0ddc41389a9c 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -170,19 +170,24 @@ static int __init default_measure_policy_setup(char *str) | |||
| 170 | } | 170 | } |
| 171 | __setup("ima_tcb", default_measure_policy_setup); | 171 | __setup("ima_tcb", default_measure_policy_setup); |
| 172 | 172 | ||
| 173 | static bool ima_use_appraise_tcb __initdata; | ||
| 173 | static int __init policy_setup(char *str) | 174 | static int __init policy_setup(char *str) |
| 174 | { | 175 | { |
| 175 | if (ima_policy) | 176 | char *p; |
| 176 | return 1; | ||
| 177 | 177 | ||
| 178 | if (strcmp(str, "tcb") == 0) | 178 | while ((p = strsep(&str, " |\n")) != NULL) { |
| 179 | ima_policy = DEFAULT_TCB; | 179 | if (*p == ' ') |
| 180 | continue; | ||
| 181 | if ((strcmp(p, "tcb") == 0) && !ima_policy) | ||
| 182 | ima_policy = DEFAULT_TCB; | ||
| 183 | else if (strcmp(p, "appraise_tcb") == 0) | ||
| 184 | ima_use_appraise_tcb = 1; | ||
| 185 | } | ||
| 180 | 186 | ||
| 181 | return 1; | 187 | return 1; |
| 182 | } | 188 | } |
| 183 | __setup("ima_policy=", policy_setup); | 189 | __setup("ima_policy=", policy_setup); |
| 184 | 190 | ||
| 185 | static bool ima_use_appraise_tcb __initdata; | ||
| 186 | static int __init default_appraise_policy_setup(char *str) | 191 | static int __init default_appraise_policy_setup(char *str) |
| 187 | { | 192 | { |
| 188 | ima_use_appraise_tcb = 1; | 193 | ima_use_appraise_tcb = 1; |