integrity: mark default IMA rules as __ro_after_init

The default IMA rules are loaded during init and then do not change, so mark them as __ro_after_init. Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: James Morris <jmorris@namei.org> 2017-02-13 00:34:35 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-03-06 19:08:57 -0500
commit: bad4417b692ede5cf31105b329cea1544875b526 (patch)
tree: f50866238676d8c414047e2509145f9e7251bc2d
parent: ca97d939db114c8d1619e10a3b82af8615372dae (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index aed47b777a57..e8498a3f4887 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -83,7 +83,7 @@ struct ima_rule_entry {
 * normal users can easily run the machine out of memory simply building
 * and running executables.
 */
-static struct ima_rule_entry dont_measure_rules[] = {
+static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
        {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -97,7 +97,7 @@ static struct ima_rule_entry dont_measure_rules[] = {
        {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
 };
-static struct ima_rule_entry original_measurement_rules[] = {
+static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
        {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
         .flags = IMA_FUNC | IMA_MASK},
        {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
@@ -108,7 +108,7 @@ static struct ima_rule_entry original_measurement_rules[] = {
        {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 };
-static struct ima_rule_entry default_measurement_rules[] = {
+static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
        {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
         .flags = IMA_FUNC | IMA_MASK},
        {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
@@ -122,7 +122,7 @@ static struct ima_rule_entry default_measurement_rules[] = {
        {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
 };
-static struct ima_rule_entry default_appraise_rules[] = {
+static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
        {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
        {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
        {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
author	James Morris <jmorris@namei.org>	2017-02-13 00:34:35 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2017-03-06 19:08:57 -0500
commit	bad4417b692ede5cf31105b329cea1544875b526 (patch)
tree	f50866238676d8c414047e2509145f9e7251bc2d
parent	ca97d939db114c8d1619e10a3b82af8615372dae (diff)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index aed47b777a57..e8498a3f4887 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -83,7 +83,7 @@ struct ima_rule_entry {
83	* normal users can easily run the machine out of memory simply building	83	* normal users can easily run the machine out of memory simply building
84	* and running executables.	84	* and running executables.
85	*/	85	*/
86	static struct ima_rule_entry dont_measure_rules[] = {	86	static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
87	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},	87	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
88	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},	88	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
89	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},	89	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -97,7 +97,7 @@ static struct ima_rule_entry dont_measure_rules[] = {
97	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}	97	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
98	};	98	};
99		99
100	static struct ima_rule_entry original_measurement_rules[] = {	100	static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
101	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,	101	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
102	.flags = IMA_FUNC \| IMA_MASK},	102	.flags = IMA_FUNC \| IMA_MASK},
103	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,	103	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
@@ -108,7 +108,7 @@ static struct ima_rule_entry original_measurement_rules[] = {
108	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},	108	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
109	};	109	};
110		110
111	static struct ima_rule_entry default_measurement_rules[] = {	111	static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
112	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,	112	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
113	.flags = IMA_FUNC \| IMA_MASK},	113	.flags = IMA_FUNC \| IMA_MASK},
114	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,	114	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
@@ -122,7 +122,7 @@ static struct ima_rule_entry default_measurement_rules[] = {
122	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},	122	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
123	};	123	};
124		124
125	static struct ima_rule_entry default_appraise_rules[] = {	125	static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
126	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},	126	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
127	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},	127	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
128	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},	128	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},