aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-05-08 06:11:29 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-09-17 16:14:23 -0400
commit2faa6ef3b21152cc05b69a84113625dcee63176f (patch)
tree672d532b7b6430be5ff166510a15d5fa5994fd8e /security/integrity
parent31b70f66328e85517b159c786ab31f3fd9a7293c (diff)
ima: provide 'ima_appraise=log' kernel option
The kernel boot parameter "ima_appraise" currently defines 'off', 'enforce' and 'fix' modes. When designing a policy and labeling the system, access to files are either blocked in the default 'enforce' mode or automatically fixed in the 'fix' mode. It is beneficial to be able to run the system in a logging only mode, without fixing it, in order to properly analyze the system. This patch adds a 'log' mode to run the system in a permissive mode and log the appraisal results. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima.h5
-rw-r--r--security/integrity/ima/ima_appraise.c2
2 files changed, 5 insertions, 2 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 8e4bb883fc13..d61680dcd365 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -159,8 +159,9 @@ void ima_delete_rules(void);
159/* Appraise integrity measurements */ 159/* Appraise integrity measurements */
160#define IMA_APPRAISE_ENFORCE 0x01 160#define IMA_APPRAISE_ENFORCE 0x01
161#define IMA_APPRAISE_FIX 0x02 161#define IMA_APPRAISE_FIX 0x02
162#define IMA_APPRAISE_MODULES 0x04 162#define IMA_APPRAISE_LOG 0x04
163#define IMA_APPRAISE_FIRMWARE 0x08 163#define IMA_APPRAISE_MODULES 0x08
164#define IMA_APPRAISE_FIRMWARE 0x10
164 165
165#ifdef CONFIG_IMA_APPRAISE 166#ifdef CONFIG_IMA_APPRAISE
166int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 167int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 013ec3f0e42d..2dc13fbb7e91 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -23,6 +23,8 @@ static int __init default_appraise_setup(char *str)
23{ 23{
24 if (strncmp(str, "off", 3) == 0) 24 if (strncmp(str, "off", 3) == 0)
25 ima_appraise = 0; 25 ima_appraise = 0;
26 else if (strncmp(str, "log", 3) == 0)
27 ima_appraise = IMA_APPRAISE_LOG;
26 else if (strncmp(str, "fix", 3) == 0) 28 else if (strncmp(str, "fix", 3) == 0)
27 ima_appraise = IMA_APPRAISE_FIX; 29 ima_appraise = IMA_APPRAISE_FIX;
28 return 1; 30 return 1;