On 15-12-08 13:01:24, Mimi Zohar wrote:
> Require the IMA policy to be signed when additional rules can be added.
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> ---
> security/integrity/ima/ima_policy.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/security/integrity/ima/ima_policy.c
> b/security/integrity/ima/ima_policy.c
> index 87614a6..6248ae23 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -131,6 +131,10 @@ static struct ima_rule_entry default_appraise_rules[] = {
> {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags =
> IMA_FSMAGIC},
> {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
> {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags =
> IMA_FSMAGIC},
> +#ifdef CONFIG_IMA_WRITE_POLICY
> + {.action = APPRAISE, .read_func = POLICY_CHECK,
> + .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> +#endif
The only time this is not going to work is when there is no IMA key in the
keyring and there is no default policy so you need to load one at boot time.
This case does not make much sense, however, so i assume the patch is fine.
> #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
> {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
> #else
Petko
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
