rpms / kernel

Clone
Source Code
GIT

Blame ima-allow-it-to-be-completely-disabled-and-default-off.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   7cfb2e418c06ab0433b31bbe2dde851b741ab9db
  2.   ima-allow-it-to-be-completely-disabled-and-default-off.patch
Blob History Raw
Kyle McMartin 9ecbc01 
From 785465d9cffd65b5a69dd2f465d2f7c917713220 Mon Sep 17 00:00:00 2001
Kyle McMartin 52c02bb 
From: Kyle McMartin <kyle@mcmartin.ca>
Kyle McMartin 9ecbc01 
Date: Mon, 18 Oct 2010 13:30:39 -0400
Kyle McMartin 9ecbc01 
Subject: [PATCH] ima: provide a toggle to disable it entirely
Kyle McMartin 52c02bb
Kyle McMartin 52c02bb 
Signed-off-by: Kyle McMartin <kyle@redhat.com>
Kyle McMartin 52c02bb 
---
Kyle McMartin 9ecbc01 
 security/integrity/ima/ima.h      |    1 +
Kyle McMartin 9ecbc01 
 security/integrity/ima/ima_iint.c |    9 +++++++++
Kyle McMartin 9ecbc01 
 security/integrity/ima/ima_main.c |   24 +++++++++++++++++++++---
Kyle McMartin 9ecbc01 
 3 files changed, 31 insertions(+), 3 deletions(-)
Kyle McMartin 52c02bb
Kyle McMartin 9ecbc01 
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
Kyle McMartin 9ecbc01 
index 3fbcd1d..65c3977 100644
Kyle McMartin 9ecbc01 
--- a/security/integrity/ima/ima.h
Kyle McMartin 9ecbc01 
+++ b/security/integrity/ima/ima.h
Kyle McMartin 9ecbc01 
@@ -37,6 +37,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
Kyle McMartin 9ecbc01 
 /* set during initialization */
Kyle McMartin 9ecbc01 
 extern int iint_initialized;
Kyle McMartin 9ecbc01 
 extern int ima_initialized;
Kyle McMartin 52c02bb 
+extern int ima_enabled;
Kyle McMartin 9ecbc01 
 extern int ima_used_chip;
Kyle McMartin 9ecbc01 
 extern char *ima_hash;
Kyle McMartin 52c02bb
Kyle McMartin 52c02bb 
diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c
Kyle McMartin 9ecbc01 
index afba4ae..3d191ef 100644
Kyle McMartin 52c02bb 
--- a/security/integrity/ima/ima_iint.c
Kyle McMartin 52c02bb 
+++ b/security/integrity/ima/ima_iint.c
Kyle McMartin 9ecbc01 
@@ -54,6 +54,9 @@ int ima_inode_alloc(struct inode *inode)
Kyle McMartin 52c02bb 
 	struct ima_iint_cache *iint = NULL;
Kyle McMartin 52c02bb 
 	int rc = 0;
Kyle McMartin 52c02bb
Kyle McMartin 9ecbc01 
+	if (!ima_enabled)
Kyle McMartin 9ecbc01 
+		return 0;
Kyle McMartin 9ecbc01 
+
Kyle McMartin 9ecbc01 
 	iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
Kyle McMartin 9ecbc01 
 	if (!iint)
Kyle McMartin 9ecbc01 
 		return -ENOMEM;
Kyle McMartin 9ecbc01 
@@ -116,6 +119,9 @@ void ima_inode_free(struct inode *inode)
Kyle McMartin 52c02bb 
 {
Kyle McMartin 52c02bb 
 	struct ima_iint_cache *iint;
Kyle McMartin 52c02bb
Kyle McMartin 9ecbc01 
+	if (!ima_enabled)
Kyle McMartin 9ecbc01 
+		return;
Kyle McMartin 9ecbc01 
+
Kyle McMartin 9ecbc01 
 	spin_lock(&ima_iint_lock);
Kyle McMartin 9ecbc01 
 	iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode);
Kyle McMartin 9ecbc01 
 	spin_unlock(&ima_iint_lock);
Kyle McMartin 9ecbc01 
@@ -139,6 +145,9 @@ static void init_once(void *foo)
Kyle McMartin 52c02bb
Kyle McMartin 52c02bb 
 static int __init ima_iintcache_init(void)
Kyle McMartin 52c02bb 
 {
Kyle McMartin 52c02bb 
+	if (!ima_enabled)
Kyle McMartin 52c02bb 
+		return 0;
Kyle McMartin 52c02bb 
+
Kyle McMartin 52c02bb 
 	iint_cache =
Kyle McMartin 52c02bb 
 	    kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
Kyle McMartin 52c02bb 
 			      SLAB_PANIC, init_once);
Kyle McMartin 52c02bb 
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
Kyle McMartin 9ecbc01 
index e662b89..6e91905 100644
Kyle McMartin 52c02bb 
--- a/security/integrity/ima/ima_main.c
Kyle McMartin 52c02bb 
+++ b/security/integrity/ima/ima_main.c
Kyle McMartin 52c02bb 
@@ -26,6 +26,7 @@
Kyle McMartin 52c02bb 
 #include "ima.h"
Kyle McMartin 52c02bb
Kyle McMartin 52c02bb 
 int ima_initialized;
Kyle McMartin 9ecbc01 
+int ima_enabled;
Kyle McMartin 52c02bb
Kyle McMartin 52c02bb 
 char *ima_hash = "sha1";
Kyle McMartin 52c02bb 
 static int __init hash_setup(char *str)
Kyle McMartin 52c02bb 
@@ -36,6 +37,14 @@ static int __init hash_setup(char *str)
Kyle McMartin 52c02bb 
 }
Kyle McMartin 52c02bb 
 __setup("ima_hash=", hash_setup);
Kyle McMartin 52c02bb
Kyle McMartin 52c02bb 
+static int __init ima_enable(char *str)
Kyle McMartin 52c02bb 
+{
Kyle McMartin 52c02bb 
+	if (strncmp(str, "on", 2) == 0)
Kyle McMartin 52c02bb 
+		ima_enabled = 1;
Kyle McMartin 52c02bb 
+	return 1;
Kyle McMartin 52c02bb 
+}
Kyle McMartin 52c02bb 
+__setup("ima=", ima_enable);
Kyle McMartin 52c02bb 
+
Kyle McMartin 52c02bb 
 struct ima_imbalance {
Kyle McMartin 52c02bb 
 	struct hlist_node node;
Kyle McMartin 52c02bb 
 	unsigned long fsmagic;
Kyle McMartin 9ecbc01 
@@ -148,7 +157,7 @@ void ima_counts_get(struct file *file)
Kyle McMartin 9ecbc01 
 	struct ima_iint_cache *iint;
Kyle McMartin 9ecbc01 
 	int rc;
Kyle McMartin 52c02bb
Kyle McMartin 9ecbc01 
-	if (!iint_initialized || !S_ISREG(inode->i_mode))
Kyle McMartin 9ecbc01 
+	if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode))
Kyle McMartin 9ecbc01 
 		return;
Kyle McMartin 9ecbc01 
 	iint = ima_iint_find_get(inode);
Kyle McMartin 9ecbc01 
 	if (!iint)
Kyle McMartin 9ecbc01 
@@ -215,7 +224,7 @@ void ima_file_free(struct file *file)
Kyle McMartin 52c02bb 
 	struct inode *inode = file->f_dentry->d_inode;
Kyle McMartin 52c02bb 
 	struct ima_iint_cache *iint;
Kyle McMartin 52c02bb
Kyle McMartin 9ecbc01 
-	if (!iint_initialized || !S_ISREG(inode->i_mode))
Kyle McMartin 9ecbc01 
+	if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode))
Kyle McMartin 9ecbc01 
 		return;
Kyle McMartin 9ecbc01 
 	iint = ima_iint_find_get(inode);
Kyle McMartin 9ecbc01 
 	if (!iint)
Kyle McMartin 9ecbc01 
@@ -269,7 +278,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
Kyle McMartin 52c02bb 
 {
Kyle McMartin 52c02bb 
 	int rc;
Kyle McMartin 52c02bb
Kyle McMartin 9ecbc01 
-	if (!file)
Kyle McMartin 9ecbc01 
+	if (!ima_enabled || !file)
Kyle McMartin 9ecbc01 
 		return 0;
Kyle McMartin 9ecbc01 
 	if (prot & PROT_EXEC)
Kyle McMartin 9ecbc01 
 		rc = process_measurement(file, file->f_dentry->d_name.name,
Kyle McMartin 9ecbc01 
@@ -294,6 +303,9 @@ int ima_bprm_check(struct linux_binprm *bprm)
Kyle McMartin 52c02bb 
 {
Kyle McMartin 52c02bb 
 	int rc;
Kyle McMartin 52c02bb
Kyle McMartin 9ecbc01 
+	if (!ima_enabled)
Kyle McMartin 9ecbc01 
+		return 0;
Kyle McMartin 9ecbc01 
+
Kyle McMartin 9ecbc01 
 	rc = process_measurement(bprm->file, bprm->filename,
Kyle McMartin 9ecbc01 
 				 MAY_EXEC, BPRM_CHECK);
Kyle McMartin 9ecbc01 
 	return 0;
Kyle McMartin 9ecbc01 
@@ -313,6 +325,9 @@ int ima_file_check(struct file *file, int mask)
Kyle McMartin 52c02bb 
 {
Kyle McMartin 52c02bb 
 	int rc;
Kyle McMartin 52c02bb
Kyle McMartin 9ecbc01 
+	if (!ima_enabled)
Kyle McMartin 9ecbc01 
+		return 0;
Kyle McMartin 9ecbc01 
+
Kyle McMartin 9ecbc01 
 	rc = process_measurement(file, file->f_dentry->d_name.name,
Kyle McMartin 9ecbc01 
 				 mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
Kyle McMartin 52c02bb 
 				 FILE_CHECK);
Kyle McMartin 9ecbc01 
@@ -324,6 +339,9 @@ static int __init init_ima(void)
Kyle McMartin 52c02bb 
 {
Kyle McMartin 52c02bb 
 	int error;
Kyle McMartin 52c02bb
Kyle McMartin 52c02bb 
+	if (!ima_enabled)
Kyle McMartin 52c02bb 
+		return 0;
Kyle McMartin 52c02bb 
+
Kyle McMartin 52c02bb 
 	error = ima_init();
Kyle McMartin 52c02bb 
 	ima_initialized = 1;
Kyle McMartin 52c02bb 
 	return error;
Kyle McMartin 52c02bb 
--
Kyle McMartin 52c02bb 
1.7.3.1
Kyle McMartin 52c02bb
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.