On Mon, Mar 31, 2025 at 08:15:08AM -0400, Mimi Zohar wrote:
On Mon, 2025-03-31 at 14:16 +0800, Baoquan He wrote:
It doesn't make sense to run IMA functionality in kdump kernel, and that
will cost extra memory. It would be great to allow IMA to be disabled on
purpose, e.g for kdump kernel.
Hence add a knob here to allow people to disable IMA if needed.
Signed-off-by: Baoquan He <b...@redhat.com>
---
security/integrity/ima/ima_main.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/security/integrity/ima/ima_main.c
b/security/integrity/ima/ima_main.c
index 28b8b0db6f9b..5d677d1389fe 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -38,11 +38,27 @@ int ima_appraise;
int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
static int hash_setup_done;
+static int ima_disabled = 0;
static struct notifier_block ima_lsm_policy_notifier = {
.notifier_call = ima_lsm_policy_change,
};
+static int __init ima_setup(char *str)
+{
+ if (strncmp(str, "off", 3) == 0)
+ ima_disabled = 1;
+ else if (strncmp(str, "on", 2) == 0)
+ ima_disabled = 0;
+ else
+ pr_err("invalid ima setup option: \"%s\" ", str);
+
+ return 1;
+}
+__setup("ima=", ima_setup);
I understand your wanting to disable IMA for Kdump, but this goes way beyond
that. Please don't make it generic like this.
Please refer to ima_appraise_parse_cmdline().
Hi Mimi,
To save memory for kdump, it seems init_ima has been to be skipped thus
ima=off is necessary (ima_appraise=off won't serve the purpose). Or do
you have any specific concerns in mind?
Mimi
+
+
+
static int __init hash_setup(char *str)
{
struct ima_template_desc *template_desc = ima_template_desc_current();
@@ -1176,6 +1192,11 @@ static int __init init_ima(void)
{
int error;
+ if (ima_disabled) {
+ pr_info("IMA functionality is disabled on purpose!");
+ return 0;
+ }
+
ima_appraise_parse_cmdline();
ima_init_template_list();
hash_setup(CONFIG_IMA_DEFAULT_HASH);
--
Best regards,
Coiby
