diff options
author | Roberto Sassu <rsassu@suse.de> | 2015-04-11 17:13:06 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-05-21 13:27:19 -0400 |
commit | 6438de9f3fb5180d78a0422695d0b88c687757d3 (patch) | |
tree | 7053e30fd3a02863800f6234b15babe0329d1f20 | |
parent | 8265a2f89c8ecf526931951fa240982d1f438736 (diff) | |
download | talos-obmc-linux-6438de9f3fb5180d78a0422695d0b88c687757d3.tar.gz talos-obmc-linux-6438de9f3fb5180d78a0422695d0b88c687757d3.zip |
ima: skip measurement of cgroupfs files and update documentation
This patch adds a rule in the default measurement policy to skip inodes
in the cgroupfs filesystem. Measurements for this filesystem can be
avoided, as all the digests collected have the same value of the digest of
an empty file.
Furthermore, this patch updates the documentation of IMA policies in
Documentation/ABI/testing/ima_policy to make it consistent with
the policies set in security/integrity/ima/ima_policy.c.
Signed-off-by: Roberto Sassu <rsassu@suse.de>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-rw-r--r-- | Documentation/ABI/testing/ima_policy | 17 | ||||
-rw-r--r-- | security/integrity/ima/ima_policy.c | 2 |
2 files changed, 14 insertions, 5 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index d0d0c578324c..232e174aa5de 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -49,11 +49,22 @@ Description: dont_measure fsmagic=0x01021994 dont_appraise fsmagic=0x01021994 # RAMFS_MAGIC - dont_measure fsmagic=0x858458f6 dont_appraise fsmagic=0x858458f6 + # DEVPTS_SUPER_MAGIC + dont_measure fsmagic=0x1cd1 + dont_appraise fsmagic=0x1cd1 + # BINFMTFS_MAGIC + dont_measure fsmagic=0x42494e4d + dont_appraise fsmagic=0x42494e4d # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 dont_appraise fsmagic=0x73636673 + # SELINUX_MAGIC + dont_measure fsmagic=0xf97cff8c + dont_appraise fsmagic=0xf97cff8c + # CGROUP_SUPER_MAGIC + dont_measure fsmagic=0x27e0eb + dont_appraise fsmagic=0x27e0eb measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC @@ -70,10 +81,6 @@ Description: Examples of LSM specific definitions: SELinux: - # SELINUX_MAGIC - dont_measure fsmagic=0xf97cff8c - dont_appraise fsmagic=0xf97cff8c - dont_measure obj_type=var_log_t dont_appraise obj_type=var_log_t dont_measure obj_type=auditd_log_t diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e86b58d459e6..e4244fc43cf1 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -79,6 +79,8 @@ static struct ima_rule_entry default_rules[] = { {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, + .flags = IMA_FSMAGIC}, {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, |