55 lines
1.8 KiB
Diff
55 lines
1.8 KiB
Diff
From 0c83c892509e592692e5002d855ce1f3001149e5 Mon Sep 17 00:00:00 2001
|
|
From: Kam Nasim <kam.nasim@windriver.com>
|
|
Date: Fri, 22 Sep 2017 16:47:36 -0400
|
|
Subject: [PATCH] US103091: IMA: System Configuration
|
|
|
|
Since IMA does measurements on all EXT4 file systems (as per IMA
|
|
policy), we end up with a large number of measurements for log files and
|
|
the DRBD fs. Therefore we restrict IMA to only do measurements &
|
|
appraisals on file systems that have i_version set, which is only the
|
|
rootfs.
|
|
---
|
|
ima/ima_main.c | 6 +++++-
|
|
kcompat.h | 1 +
|
|
2 files changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/ima/ima_main.c b/ima/ima_main.c
|
|
index 5d6ba23..ea3ace3 100644
|
|
--- a/ima/ima_main.c
|
|
+++ b/ima/ima_main.c
|
|
@@ -22,6 +22,7 @@
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/file.h>
|
|
+#include <linux/fs.h>
|
|
#include <linux/binfmts.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/mman.h>
|
|
@@ -178,7 +179,10 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
|
|
bool violation_check;
|
|
enum hash_algo hash_algo;
|
|
|
|
- if (!ima_policy_flag || !S_ISREG(inode->i_mode))
|
|
+ /* WRS: Only do measurements & appraisals
|
|
+ * on inodes that have i_version set (i.e the rootfs)
|
|
+ */
|
|
+ if (!ima_policy_flag || !S_ISREG(inode->i_mode) || !IS_I_VERSION(inode))
|
|
return 0;
|
|
|
|
/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
|
|
diff --git a/kcompat.h b/kcompat.h
|
|
index a5445aa..59e32a8 100644
|
|
--- a/kcompat.h
|
|
+++ b/kcompat.h
|
|
@@ -19,6 +19,7 @@
|
|
#define CONFIG_IMA 1
|
|
#define CONFIG_IMA_APPRAISE_SIGNED_INIT 1
|
|
#define CONFIG_IMA_APPRAISE 1
|
|
+#define CONFIG_IMA_LSM_RULES 1
|
|
#define CONFIG_IMA_DEFAULT_HASH "sha256"
|
|
#define CONFIG_IMA_MEASURE_PCR_IDX 10
|
|
#define CONFIG_IMA_DEFAULT_TEMPLATE "ima-sig"
|
|
--
|
|
1.8.3.1
|
|
|