ima: require signed IMA policy

Require the IMA policy to be signed when additional rules can be added. v1: - initialize the policy flag - include IMA_APPRAISE_POLICY in the policy flag Signed-off-by: N Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: N Petko Manolov <petkan@mip-labs.com> Acked-by: N Dmitry Kasatkin <dmitry.kasatkin@huawei.com>

ima: require signed IMA policy
Require the IMA policy to be signed when additional rules can be added. v1: - initialize the policy flag - include IMA_APPRAISE_POLICY in the policy flag Signed-off-by: N Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: N Petko Manolov <petkan@mip-labs.com> Acked-by: N Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
95ee08fa · Mimi Zohar · 19f8a847 · 95ee08fa
隐藏空白更改
内联并排

Showing with 7 addition and 0 deletion

security/integrity/ima/ima_policy.c security/integrity/ima/ima_policy.c +7 -0

未找到文件。
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -129,6 +129,10 @@ static struct ima_rule_entry default_appraise_rules[] = {
 	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
+#ifdef CONFIG_IMA_WRITE_POLICY
+	{.action = APPRAISE, .func = POLICY_CHECK,
+	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
+#endif
 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
 #else
@@ -412,9 +416,12 @@ void __init ima_init_policy(void)
 	for (i = 0; i < appraise_entries; i++) {
 		list_add_tail(&default_appraise_rules[i].list,
 			      &ima_default_rules);
+		if (default_appraise_rules[i].func == POLICY_CHECK)
+			temp_ima_appraise |= IMA_APPRAISE_POLICY;
 	}
 	ima_rules = &ima_default_rules;
+	ima_update_policy_flag();
 }
 /* Make sure we have a valid policy, at least containing some rules. */