summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoberto Sassu <rsassu@suse.de>2015-04-11 17:13:06 +0200
committerMimi Zohar <zohar@linux.vnet.ibm.com>2015-05-21 13:27:19 -0400
commit6438de9f3fb5180d78a0422695d0b88c687757d3 (patch)
tree7053e30fd3a02863800f6234b15babe0329d1f20
parent8265a2f89c8ecf526931951fa240982d1f438736 (diff)
downloadtalos-obmc-linux-6438de9f3fb5180d78a0422695d0b88c687757d3.tar.gz
talos-obmc-linux-6438de9f3fb5180d78a0422695d0b88c687757d3.zip
ima: skip measurement of cgroupfs files and update documentation
This patch adds a rule in the default measurement policy to skip inodes in the cgroupfs filesystem. Measurements for this filesystem can be avoided, as all the digests collected have the same value of the digest of an empty file. Furthermore, this patch updates the documentation of IMA policies in Documentation/ABI/testing/ima_policy to make it consistent with the policies set in security/integrity/ima/ima_policy.c. Signed-off-by: Roberto Sassu <rsassu@suse.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-rw-r--r--Documentation/ABI/testing/ima_policy17
-rw-r--r--security/integrity/ima/ima_policy.c2
2 files changed, 14 insertions, 5 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index d0d0c578324c..232e174aa5de 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -49,11 +49,22 @@ Description:
dont_measure fsmagic=0x01021994
dont_appraise fsmagic=0x01021994
# RAMFS_MAGIC
- dont_measure fsmagic=0x858458f6
dont_appraise fsmagic=0x858458f6
+ # DEVPTS_SUPER_MAGIC
+ dont_measure fsmagic=0x1cd1
+ dont_appraise fsmagic=0x1cd1
+ # BINFMTFS_MAGIC
+ dont_measure fsmagic=0x42494e4d
+ dont_appraise fsmagic=0x42494e4d
# SECURITYFS_MAGIC
dont_measure fsmagic=0x73636673
dont_appraise fsmagic=0x73636673
+ # SELINUX_MAGIC
+ dont_measure fsmagic=0xf97cff8c
+ dont_appraise fsmagic=0xf97cff8c
+ # CGROUP_SUPER_MAGIC
+ dont_measure fsmagic=0x27e0eb
+ dont_appraise fsmagic=0x27e0eb
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
@@ -70,10 +81,6 @@ Description:
Examples of LSM specific definitions:
SELinux:
- # SELINUX_MAGIC
- dont_measure fsmagic=0xf97cff8c
- dont_appraise fsmagic=0xf97cff8c
-
dont_measure obj_type=var_log_t
dont_appraise obj_type=var_log_t
dont_measure obj_type=auditd_log_t
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e86b58d459e6..e4244fc43cf1 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -79,6 +79,8 @@ static struct ima_rule_entry default_rules[] = {
{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
+ .flags = IMA_FSMAGIC},
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
OpenPOWER on IntegriCloud