This patch provides kernel parameter 'ima=off' that disables IMA. This will reduce memory consumption by the ima when it is not needed. Specifically, this saves one pointer per inode in the system.
Originally-by: Dmitry Kasatkin <[email protected]> Signed-off-by: Song Liu <[email protected]> --- security/integrity/ima/ima_main.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 06132cf47016..21968c78f03f 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1144,10 +1144,22 @@ static int ima_kernel_module_request(char *kmod_name) #endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */ + +static int ima_mode = 1; +static int __init ima_setup(char *str) +{ + if (strncmp(str, "off", 3) == 0) + ima_mode = 0; + return 1; +} +__setup("ima=", ima_setup); + static int __init init_ima(void) { int error; + if (!ima_mode) + return 0; ima_appraise_parse_cmdline(); ima_init_template_list(); hash_setup(CONFIG_IMA_DEFAULT_HASH); @@ -1217,6 +1229,7 @@ DEFINE_LSM(ima) = { .name = "ima", .init = init_ima_lsm, .order = LSM_ORDER_LAST, + .enabled = &ima_mode, .blobs = &ima_blob_sizes, }; -- 2.43.5
