ima: require signed IMA policy
Require the IMA policy to be signed when additional rules can be added. v1: - initialize the policy flag - include IMA_APPRAISE_POLICY in the policy flag Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
This commit is contained in:
parent
19f8a84713
commit
95ee08fa37
|
@ -129,6 +129,10 @@ static struct ima_rule_entry default_appraise_rules[] = {
|
|||
{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
||||
#ifdef CONFIG_IMA_WRITE_POLICY
|
||||
{.action = APPRAISE, .func = POLICY_CHECK,
|
||||
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
|
||||
#endif
|
||||
#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
|
||||
{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
|
||||
#else
|
||||
|
@ -412,9 +416,12 @@ void __init ima_init_policy(void)
|
|||
for (i = 0; i < appraise_entries; i++) {
|
||||
list_add_tail(&default_appraise_rules[i].list,
|
||||
&ima_default_rules);
|
||||
if (default_appraise_rules[i].func == POLICY_CHECK)
|
||||
temp_ima_appraise |= IMA_APPRAISE_POLICY;
|
||||
}
|
||||
|
||||
ima_rules = &ima_default_rules;
|
||||
ima_update_policy_flag();
|
||||
}
|
||||
|
||||
/* Make sure we have a valid policy, at least containing some rules. */
|
||||
|
|
Loading…
Reference in New Issue