From 0c83c892509e592692e5002d855ce1f3001149e5 Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Fri, 22 Sep 2017 16:47:36 -0400
Subject: [PATCH] US103091: IMA: System Configuration

Since IMA does measurements on all EXT4 file systems (as per IMA
policy), we end up with a large number of measurements for log files and
the DRBD fs. Therefore we restrict IMA to only do measurements &
appraisals on file systems that have i_version set, which is only the
rootfs.
---
 ima/ima_main.c | 6 +++++-
 kcompat.h      | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ima/ima_main.c b/ima/ima_main.c
index 5d6ba23..ea3ace3 100644
--- a/ima/ima_main.c
+++ b/ima/ima_main.c
@@ -22,6 +22,7 @@
 
 #include <linux/module.h>
 #include <linux/file.h>
+#include <linux/fs.h>
 #include <linux/binfmts.h>
 #include <linux/mount.h>
 #include <linux/mman.h>
@@ -178,7 +179,10 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
 	bool violation_check;
 	enum hash_algo hash_algo;
 
-	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
+	/* WRS: Only do measurements & appraisals
+	 * on inodes that have i_version set (i.e the rootfs)
+	 */
+	if (!ima_policy_flag || !S_ISREG(inode->i_mode) || !IS_I_VERSION(inode))
 		return 0;
 
 	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
diff --git a/kcompat.h b/kcompat.h
index a5445aa..59e32a8 100644
--- a/kcompat.h
+++ b/kcompat.h
@@ -19,6 +19,7 @@
 #define CONFIG_IMA                          1
 #define CONFIG_IMA_APPRAISE_SIGNED_INIT     1
 #define CONFIG_IMA_APPRAISE                 1
+#define CONFIG_IMA_LSM_RULES                1
 #define CONFIG_IMA_DEFAULT_HASH             "sha256"
 #define CONFIG_IMA_MEASURE_PCR_IDX          10
 #define CONFIG_IMA_DEFAULT_TEMPLATE         "ima-sig"
-- 
1.8.3.1