-
由 Roberto Sassu 提交于
hulk inclusion category: feature feature: IMA Digest Lists extension bugzilla: 46797 ------------------------------------------------- This patch introduces a new hard-coded policy to measure executable code: dont_measure fsmagic=0x9fa0 dont_measure fsmagic=0x62656572 dont_measure fsmagic=0x64626720 dont_measure fsmagic=0x1cd1 dont_measure fsmagic=0x42494e4d dont_measure fsmagic=0x73636673 dont_measure fsmagic=0xf97cff8c dont_measure fsmagic=0x43415d53 dont_measure fsmagic=0x27e0eb dont_measure fsmagic=0x63677270 dont_measure fsmagic=0x6e736673 measure func=MMAP_CHECK mask=MAY_EXEC measure func=BPRM_CHECK mask=MAY_EXEC measure func=MODULE_CHECK measure func=FIRMWARE_CHECK measure func=POLICY_CHECK measure func=DIGEST_LIST_CHECK It can be selected by specifying ima_policy=exec_tcb in the kernel command line. Files in tmpfs are not excluded from measurement. Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com> Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
c382b47e