From 785465d9cffd65b5a69dd2f465d2f7c917713220 Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Mon, 18 Oct 2010 13:30:39 -0400 Subject: [PATCH] ima: provide a toggle to disable it entirely Signed-off-by: Kyle McMartin --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_iint.c | 9 +++++++++ security/integrity/ima/ima_main.c | 24 +++++++++++++++++++++--- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3fbcd1d..65c3977 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -37,6 +37,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; /* set during initialization */ extern int iint_initialized; extern int ima_initialized; +extern int ima_enabled; extern int ima_used_chip; extern char *ima_hash; diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c index afba4ae..3d191ef 100644 --- a/security/integrity/ima/ima_iint.c +++ b/security/integrity/ima/ima_iint.c @@ -54,6 +54,9 @@ int ima_inode_alloc(struct inode *inode) struct ima_iint_cache *iint = NULL; int rc = 0; + if (!ima_enabled) + return 0; + iint = kmem_cache_alloc(iint_cache, GFP_NOFS); if (!iint) return -ENOMEM; @@ -116,6 +119,9 @@ void ima_inode_free(struct inode *inode) { struct ima_iint_cache *iint; + if (!ima_enabled) + return; + spin_lock(&ima_iint_lock); iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode); spin_unlock(&ima_iint_lock); @@ -139,6 +145,9 @@ static void init_once(void *foo) static int __init ima_iintcache_init(void) { + if (!ima_enabled) + return 0; + iint_cache = kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0, SLAB_PANIC, init_once); diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index e662b89..6e91905 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -26,6 +26,7 @@ #include "ima.h" int ima_initialized; +int ima_enabled; char *ima_hash = "sha1"; static int __init hash_setup(char *str) @@ -36,6 +37,14 @@ static int __init hash_setup(char *str) } __setup("ima_hash=", hash_setup); +static int __init ima_enable(char *str) +{ + if (strncmp(str, "on", 2) == 0) + ima_enabled = 1; + return 1; +} +__setup("ima=", ima_enable); + struct ima_imbalance { struct hlist_node node; unsigned long fsmagic; @@ -148,7 +157,7 @@ void ima_counts_get(struct file *file) struct ima_iint_cache *iint; int rc; - if (!iint_initialized || !S_ISREG(inode->i_mode)) + if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode)) return; iint = ima_iint_find_get(inode); if (!iint) @@ -215,7 +224,7 @@ void ima_file_free(struct file *file) struct inode *inode = file->f_dentry->d_inode; struct ima_iint_cache *iint; - if (!iint_initialized || !S_ISREG(inode->i_mode)) + if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode)) return; iint = ima_iint_find_get(inode); if (!iint) @@ -269,7 +278,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) { int rc; - if (!file) + if (!ima_enabled || !file) return 0; if (prot & PROT_EXEC) rc = process_measurement(file, file->f_dentry->d_name.name, @@ -294,6 +303,9 @@ int ima_bprm_check(struct linux_binprm *bprm) { int rc; + if (!ima_enabled) + return 0; + rc = process_measurement(bprm->file, bprm->filename, MAY_EXEC, BPRM_CHECK); return 0; @@ -313,6 +325,9 @@ int ima_file_check(struct file *file, int mask) { int rc; + if (!ima_enabled) + return 0; + rc = process_measurement(file, file->f_dentry->d_name.name, mask & (MAY_READ | MAY_WRITE | MAY_EXEC), FILE_CHECK); @@ -324,6 +339,9 @@ static int __init init_ima(void) { int error; + if (!ima_enabled) + return 0; + error = ima_init(); ima_initialized = 1; return error; -- 1.7.3.1