Loading Documentation/kernel-parameters.txt +1 −1 Original line number Diff line number Diff line Loading @@ -1292,7 +1292,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Set number of hash buckets for inode cache. ima_appraise= [IMA] appraise integrity measurements Format: { "off" | "enforce" | "fix" } Format: { "off" | "enforce" | "fix" | "log" } default: "enforce" ima_appraise_tcb [IMA] Loading security/integrity/ima/ima.h +7 −2 Original line number Diff line number Diff line Loading @@ -43,6 +43,9 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; #define IMA_TEMPLATE_IMA_NAME "ima" #define IMA_TEMPLATE_IMA_FMT "d|n" /* current content of the policy */ extern int ima_policy_flag; /* set during initialization */ extern int ima_initialized; extern int ima_used_chip; Loading Loading @@ -153,14 +156,16 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, int flags); void ima_init_policy(void); void ima_update_policy(void); void ima_update_policy_flag(void); ssize_t ima_parse_add_rule(char *); void ima_delete_rules(void); /* Appraise integrity measurements */ #define IMA_APPRAISE_ENFORCE 0x01 #define IMA_APPRAISE_FIX 0x02 #define IMA_APPRAISE_MODULES 0x04 #define IMA_APPRAISE_FIRMWARE 0x08 #define IMA_APPRAISE_LOG 0x04 #define IMA_APPRAISE_MODULES 0x08 #define IMA_APPRAISE_FIRMWARE 0x10 #ifdef CONFIG_IMA_APPRAISE int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, Loading security/integrity/ima/ima_api.c +0 −5 Original line number Diff line number Diff line Loading @@ -179,11 +179,6 @@ int ima_get_action(struct inode *inode, int mask, int function) return ima_match_policy(inode, function, mask, flags); } int ima_must_measure(struct inode *inode, int mask, int function) { return ima_match_policy(inode, function, mask, IMA_MEASURE); } /* * ima_collect_measurement - collect file measurement * Loading security/integrity/ima/ima_appraise.c +4 −2 Original line number Diff line number Diff line Loading @@ -23,6 +23,8 @@ static int __init default_appraise_setup(char *str) { if (strncmp(str, "off", 3) == 0) ima_appraise = 0; else if (strncmp(str, "log", 3) == 0) ima_appraise = IMA_APPRAISE_LOG; else if (strncmp(str, "fix", 3) == 0) ima_appraise = IMA_APPRAISE_FIX; return 1; Loading Loading @@ -316,7 +318,7 @@ void ima_inode_post_setattr(struct dentry *dentry) struct integrity_iint_cache *iint; int must_appraise, rc; if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode) if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode) || !inode->i_op->removexattr) return; Loading Loading @@ -354,7 +356,7 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig) { struct integrity_iint_cache *iint; if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)) if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)) return; iint = integrity_iint_find(inode); Loading security/integrity/ima/ima_init.c +19 −6 Original line number Diff line number Diff line Loading @@ -43,7 +43,7 @@ int ima_used_chip; * a different value.) Violations add a zero entry to the measurement * list and extend the aggregate PCR value with ff...ff's. */ static void __init ima_add_boot_aggregate(void) static int __init ima_add_boot_aggregate(void) { static const char op[] = "add_boot_aggregate"; const char *audit_cause = "ENOMEM"; Loading Loading @@ -72,17 +72,23 @@ static void __init ima_add_boot_aggregate(void) result = ima_alloc_init_template(iint, NULL, boot_aggregate_name, NULL, 0, &entry); if (result < 0) return; if (result < 0) { audit_cause = "alloc_entry"; goto err_out; } result = ima_store_template(entry, violation, NULL, boot_aggregate_name); if (result < 0) if (result < 0) { ima_free_template_entry(entry); return; audit_cause = "store_entry"; goto err_out; } return 0; err_out: integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op, audit_cause, result, 0); return result; } int __init ima_init(void) Loading @@ -98,6 +104,10 @@ int __init ima_init(void) if (!ima_used_chip) pr_info("No TPM chip found, activating TPM-bypass!\n"); rc = ima_init_keyring(INTEGRITY_KEYRING_IMA); if (rc) return rc; rc = ima_init_crypto(); if (rc) return rc; Loading @@ -105,7 +115,10 @@ int __init ima_init(void) if (rc != 0) return rc; ima_add_boot_aggregate(); /* boot aggregate must be first entry */ rc = ima_add_boot_aggregate(); /* boot aggregate must be first entry */ if (rc != 0) return rc; ima_init_policy(); return ima_fs_init(); Loading Loading
Documentation/kernel-parameters.txt +1 −1 Original line number Diff line number Diff line Loading @@ -1292,7 +1292,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Set number of hash buckets for inode cache. ima_appraise= [IMA] appraise integrity measurements Format: { "off" | "enforce" | "fix" } Format: { "off" | "enforce" | "fix" | "log" } default: "enforce" ima_appraise_tcb [IMA] Loading
security/integrity/ima/ima.h +7 −2 Original line number Diff line number Diff line Loading @@ -43,6 +43,9 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; #define IMA_TEMPLATE_IMA_NAME "ima" #define IMA_TEMPLATE_IMA_FMT "d|n" /* current content of the policy */ extern int ima_policy_flag; /* set during initialization */ extern int ima_initialized; extern int ima_used_chip; Loading Loading @@ -153,14 +156,16 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, int flags); void ima_init_policy(void); void ima_update_policy(void); void ima_update_policy_flag(void); ssize_t ima_parse_add_rule(char *); void ima_delete_rules(void); /* Appraise integrity measurements */ #define IMA_APPRAISE_ENFORCE 0x01 #define IMA_APPRAISE_FIX 0x02 #define IMA_APPRAISE_MODULES 0x04 #define IMA_APPRAISE_FIRMWARE 0x08 #define IMA_APPRAISE_LOG 0x04 #define IMA_APPRAISE_MODULES 0x08 #define IMA_APPRAISE_FIRMWARE 0x10 #ifdef CONFIG_IMA_APPRAISE int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, Loading
security/integrity/ima/ima_api.c +0 −5 Original line number Diff line number Diff line Loading @@ -179,11 +179,6 @@ int ima_get_action(struct inode *inode, int mask, int function) return ima_match_policy(inode, function, mask, flags); } int ima_must_measure(struct inode *inode, int mask, int function) { return ima_match_policy(inode, function, mask, IMA_MEASURE); } /* * ima_collect_measurement - collect file measurement * Loading
security/integrity/ima/ima_appraise.c +4 −2 Original line number Diff line number Diff line Loading @@ -23,6 +23,8 @@ static int __init default_appraise_setup(char *str) { if (strncmp(str, "off", 3) == 0) ima_appraise = 0; else if (strncmp(str, "log", 3) == 0) ima_appraise = IMA_APPRAISE_LOG; else if (strncmp(str, "fix", 3) == 0) ima_appraise = IMA_APPRAISE_FIX; return 1; Loading Loading @@ -316,7 +318,7 @@ void ima_inode_post_setattr(struct dentry *dentry) struct integrity_iint_cache *iint; int must_appraise, rc; if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode) if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode) || !inode->i_op->removexattr) return; Loading Loading @@ -354,7 +356,7 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig) { struct integrity_iint_cache *iint; if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)) if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)) return; iint = integrity_iint_find(inode); Loading
security/integrity/ima/ima_init.c +19 −6 Original line number Diff line number Diff line Loading @@ -43,7 +43,7 @@ int ima_used_chip; * a different value.) Violations add a zero entry to the measurement * list and extend the aggregate PCR value with ff...ff's. */ static void __init ima_add_boot_aggregate(void) static int __init ima_add_boot_aggregate(void) { static const char op[] = "add_boot_aggregate"; const char *audit_cause = "ENOMEM"; Loading Loading @@ -72,17 +72,23 @@ static void __init ima_add_boot_aggregate(void) result = ima_alloc_init_template(iint, NULL, boot_aggregate_name, NULL, 0, &entry); if (result < 0) return; if (result < 0) { audit_cause = "alloc_entry"; goto err_out; } result = ima_store_template(entry, violation, NULL, boot_aggregate_name); if (result < 0) if (result < 0) { ima_free_template_entry(entry); return; audit_cause = "store_entry"; goto err_out; } return 0; err_out: integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op, audit_cause, result, 0); return result; } int __init ima_init(void) Loading @@ -98,6 +104,10 @@ int __init ima_init(void) if (!ima_used_chip) pr_info("No TPM chip found, activating TPM-bypass!\n"); rc = ima_init_keyring(INTEGRITY_KEYRING_IMA); if (rc) return rc; rc = ima_init_crypto(); if (rc) return rc; Loading @@ -105,7 +115,10 @@ int __init ima_init(void) if (rc != 0) return rc; ima_add_boot_aggregate(); /* boot aggregate must be first entry */ rc = ima_add_boot_aggregate(); /* boot aggregate must be first entry */ if (rc != 0) return rc; ima_init_policy(); return ima_fs_init(); Loading
