ima: extend the "ima_policy" boot command line to support multiple policies

Add support for providing multiple builtin policies on the "ima_policy="
boot command line.  Use "|" as the delimitor separating the policy names.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar 2017-04-24 12:04:09 -04:00
parent cdac74ddf2
commit 33ce9549cf
2 changed files with 21 additions and 11 deletions

View File

@ -1477,12 +1477,17 @@
in crypto/hash_info.h.
ima_policy= [IMA]
The builtin measurement policy to load during IMA
setup. Specyfing "tcb" as the value, measures all
programs exec'd, files mmap'd for exec, and all files
opened with the read mode bit set by either the
effective uid (euid=0) or uid=0.
Format: "tcb"
The builtin policies to load during IMA setup.
Format: "tcb | appraise_tcb"
The "tcb" policy measures all programs exec'd, files
mmap'd for exec, and all files opened with the read
mode bit set by either the effective uid (euid=0) or
uid=0.
The "appraise_tcb" policy appraises the integrity of
all files owned by root. (This is the equivalent
of ima_appraise_tcb.)
ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted

View File

@ -170,19 +170,24 @@ static int __init default_measure_policy_setup(char *str)
}
__setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata;
static int __init policy_setup(char *str)
{
if (ima_policy)
return 1;
char *p;
if (strcmp(str, "tcb") == 0)
while ((p = strsep(&str, " |\n")) != NULL) {
if (*p == ' ')
continue;
if ((strcmp(p, "tcb") == 0) && !ima_policy)
ima_policy = DEFAULT_TCB;
else if (strcmp(p, "appraise_tcb") == 0)
ima_use_appraise_tcb = 1;
}
return 1;
}
__setup("ima_policy=", policy_setup);
static bool ima_use_appraise_tcb __initdata;
static int __init default_appraise_policy_setup(char *str)
{
ima_use_appraise_tcb = 1;