On Wed, Feb 3, 2016 at 9:06 PM, Mimi Zohar <zohar at linux.vnet.ibm.com> wrote:
> Require the IMA policy to be signed when additional rules can be added.
>
> v1:
> - initialize the policy flag
> - include IMA_APPRAISE_POLICY in the policy flag
>
> Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
Acked-by: Dmitry Kasatkin <dmitry.kasatkin at huawei.com>
> ---
> security/integrity/ima/ima_policy.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 39a811a..ba0f6dc 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -129,6 +129,10 @@ static struct ima_rule_entry default_appraise_rules[] = {
> {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
> {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
> {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
> +#ifdef CONFIG_IMA_WRITE_POLICY
> + {.action = APPRAISE, .func = POLICY_CHECK,
> + .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> +#endif
> #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
> {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
> #else
> @@ -412,9 +416,12 @@ void __init ima_init_policy(void)
> for (i = 0; i < appraise_entries; i++) {
> list_add_tail(&default_appraise_rules[i].list,
> &ima_default_rules);
> + if (default_appraise_rules[i].func == POLICY_CHECK)
> + temp_ima_appraise |= IMA_APPRAISE_POLICY;
> }
>
> ima_rules = &ima_default_rules;
> + ima_update_policy_flag();
> }
>
> /* Make sure we have a valid policy, at least containing some rules. */
> --
> 2.1.0
>
--
Thanks,
Dmitry