diff options
Diffstat (limited to 'security/integrity/ima/ima_policy.c')
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index cea84d8bd7be..07099a8bc283 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -84,6 +84,7 @@ static struct ima_rule_entry default_rules[] = { | |||
| 84 | {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID, | 84 | {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID, |
| 85 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, | 85 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, |
| 86 | {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, | 86 | {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, |
| 87 | {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, | ||
| 87 | }; | 88 | }; |
| 88 | 89 | ||
| 89 | static struct ima_rule_entry default_appraise_rules[] = { | 90 | static struct ima_rule_entry default_appraise_rules[] = { |
| @@ -241,6 +242,8 @@ static int get_subaction(struct ima_rule_entry *rule, int func) | |||
| 241 | return IMA_BPRM_APPRAISE; | 242 | return IMA_BPRM_APPRAISE; |
| 242 | case MODULE_CHECK: | 243 | case MODULE_CHECK: |
| 243 | return IMA_MODULE_APPRAISE; | 244 | return IMA_MODULE_APPRAISE; |
| 245 | case FIRMWARE_CHECK: | ||
| 246 | return IMA_FIRMWARE_APPRAISE; | ||
| 244 | case FILE_CHECK: | 247 | case FILE_CHECK: |
| 245 | default: | 248 | default: |
| 246 | return IMA_FILE_APPRAISE; | 249 | return IMA_FILE_APPRAISE; |
| @@ -486,6 +489,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) | |||
| 486 | entry->func = FILE_CHECK; | 489 | entry->func = FILE_CHECK; |
| 487 | else if (strcmp(args[0].from, "MODULE_CHECK") == 0) | 490 | else if (strcmp(args[0].from, "MODULE_CHECK") == 0) |
| 488 | entry->func = MODULE_CHECK; | 491 | entry->func = MODULE_CHECK; |
| 492 | else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) | ||
| 493 | entry->func = FIRMWARE_CHECK; | ||
| 489 | else if ((strcmp(args[0].from, "FILE_MMAP") == 0) | 494 | else if ((strcmp(args[0].from, "FILE_MMAP") == 0) |
| 490 | || (strcmp(args[0].from, "MMAP_CHECK") == 0)) | 495 | || (strcmp(args[0].from, "MMAP_CHECK") == 0)) |
| 491 | entry->func = MMAP_CHECK; | 496 | entry->func = MMAP_CHECK; |
| @@ -636,6 +641,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) | |||
| 636 | result = -EINVAL; | 641 | result = -EINVAL; |
| 637 | else if (entry->func == MODULE_CHECK) | 642 | else if (entry->func == MODULE_CHECK) |
| 638 | ima_appraise |= IMA_APPRAISE_MODULES; | 643 | ima_appraise |= IMA_APPRAISE_MODULES; |
| 644 | else if (entry->func == FIRMWARE_CHECK) | ||
| 645 | ima_appraise |= IMA_APPRAISE_FIRMWARE; | ||
| 639 | audit_log_format(ab, "res=%d", !result); | 646 | audit_log_format(ab, "res=%d", !result); |
| 640 | audit_log_end(ab); | 647 | audit_log_end(ab); |
| 641 | return result; | 648 | return result; |