aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--security/integrity/ima/ima.h4
-rw-r--r--security/integrity/ima/ima_appraise.c4
-rw-r--r--security/integrity/ima/ima_main.c8
-rw-r--r--security/integrity/ima/ima_policy.c23
4 files changed, 34 insertions, 5 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index d61680dcd365..8ee997dff139 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -43,6 +43,9 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
43#define IMA_TEMPLATE_IMA_NAME "ima" 43#define IMA_TEMPLATE_IMA_NAME "ima"
44#define IMA_TEMPLATE_IMA_FMT "d|n" 44#define IMA_TEMPLATE_IMA_FMT "d|n"
45 45
46/* current content of the policy */
47extern int ima_policy_flag;
48
46/* set during initialization */ 49/* set during initialization */
47extern int ima_initialized; 50extern int ima_initialized;
48extern int ima_used_chip; 51extern int ima_used_chip;
@@ -153,6 +156,7 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
153 int flags); 156 int flags);
154void ima_init_policy(void); 157void ima_init_policy(void);
155void ima_update_policy(void); 158void ima_update_policy(void);
159void ima_update_policy_flag(void);
156ssize_t ima_parse_add_rule(char *); 160ssize_t ima_parse_add_rule(char *);
157void ima_delete_rules(void); 161void ima_delete_rules(void);
158 162
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 2dc13fbb7e91..922685483bd3 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -318,7 +318,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
318 struct integrity_iint_cache *iint; 318 struct integrity_iint_cache *iint;
319 int must_appraise, rc; 319 int must_appraise, rc;
320 320
321 if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode) 321 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
322 || !inode->i_op->removexattr) 322 || !inode->i_op->removexattr)
323 return; 323 return;
324 324
@@ -356,7 +356,7 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
356{ 356{
357 struct integrity_iint_cache *iint; 357 struct integrity_iint_cache *iint;
358 358
359 if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)) 359 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
360 return; 360 return;
361 361
362 iint = integrity_iint_find(inode); 362 iint = integrity_iint_find(inode);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index ed7d9fa4f536..2191b36ad1da 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -85,7 +85,7 @@ static void ima_rdwr_violation_check(struct file *file)
85 char *pathbuf = NULL; 85 char *pathbuf = NULL;
86 const char *pathname; 86 const char *pathname;
87 87
88 if (!S_ISREG(inode->i_mode) || !ima_initialized) 88 if (!S_ISREG(inode->i_mode) || !(ima_policy_flag & IMA_MEASURE))
89 return; 89 return;
90 90
91 if (mode & FMODE_WRITE) { 91 if (mode & FMODE_WRITE) {
@@ -168,7 +168,7 @@ static int process_measurement(struct file *file, int mask, int function,
168 struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL; 168 struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL;
169 int xattr_len = 0; 169 int xattr_len = 0;
170 170
171 if (!ima_initialized || !S_ISREG(inode->i_mode)) 171 if (!ima_policy_flag || !S_ISREG(inode->i_mode))
172 return 0; 172 return 0;
173 173
174 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action 174 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
@@ -334,8 +334,10 @@ static int __init init_ima(void)
334 334
335 hash_setup(CONFIG_IMA_DEFAULT_HASH); 335 hash_setup(CONFIG_IMA_DEFAULT_HASH);
336 error = ima_init(); 336 error = ima_init();
337 if (!error) 337 if (!error) {
338 ima_initialized = 1; 338 ima_initialized = 1;
339 ima_update_policy_flag();
340 }
339 return error; 341 return error;
340} 342}
341 343
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 07099a8bc283..cdc620b2152f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -35,6 +35,8 @@
35#define DONT_APPRAISE 0x0008 35#define DONT_APPRAISE 0x0008
36#define AUDIT 0x0040 36#define AUDIT 0x0040
37 37
38int ima_policy_flag;
39
38#define MAX_LSM_RULES 6 40#define MAX_LSM_RULES 6
39enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 41enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
40 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 42 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
@@ -295,6 +297,26 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
295 return action; 297 return action;
296} 298}
297 299
300/*
301 * Initialize the ima_policy_flag variable based on the currently
302 * loaded policy. Based on this flag, the decision to short circuit
303 * out of a function or not call the function in the first place
304 * can be made earlier.
305 */
306void ima_update_policy_flag(void)
307{
308 struct ima_rule_entry *entry;
309
310 ima_policy_flag = 0;
311 list_for_each_entry(entry, ima_rules, list) {
312 if (entry->action & IMA_DO_MASK)
313 ima_policy_flag |= entry->action;
314 }
315
316 if (!ima_appraise)
317 ima_policy_flag &= ~IMA_APPRAISE;
318}
319
298/** 320/**
299 * ima_init_policy - initialize the default measure rules. 321 * ima_init_policy - initialize the default measure rules.
300 * 322 *
@@ -341,6 +363,7 @@ void ima_update_policy(void)
341 363
342 if (ima_rules == &ima_default_rules) { 364 if (ima_rules == &ima_default_rules) {
343 ima_rules = &ima_policy_rules; 365 ima_rules = &ima_policy_rules;
366 ima_update_policy_flag();
344 cause = "complete"; 367 cause = "complete";
345 result = 0; 368 result = 0;
346 } 369 }
generated by cgit v1.2.2 (git 2.25.0) at 2026-02-24 22:32:19 -0500