diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2016-01-15 16:17:12 +0100 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2016-02-21 15:34:22 +0100 |
| commit | 19f8a84713edc1d27ea05be00effb97b8f1ef207 (patch) | |
| tree | 1bc29beeafe8358eeffcbd807ac59f6b45868695 /security/integrity/ima/ima_fs.c | |
| parent | ima: load policy using path (diff) | |
| download | linux-19f8a84713edc1d27ea05be00effb97b8f1ef207.tar.xz linux-19f8a84713edc1d27ea05be00effb97b8f1ef207.zip | |
ima: measure and appraise the IMA policy itself
Add support for measuring and appraising the IMA policy itself.
Changelog v4:
- use braces on both if/else branches, even if single line on one of the
branches - Dmitry
- Use the id mapping - Dmitry
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Petko Manolov <petkan@mip-labs.com>
Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Diffstat (limited to 'security/integrity/ima/ima_fs.c')
| -rw-r--r-- | security/integrity/ima/ima_fs.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index a6c61b351f36..60d011aaec38 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -325,10 +325,18 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, if (result < 0) goto out_free; - if (data[0] == '/') + if (data[0] == '/') { result = ima_read_policy(data); - else + } else if (ima_appraise & IMA_APPRAISE_POLICY) { + pr_err("IMA: signed policy file (specified as an absolute pathname) required\n"); + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, + "policy_update", "signed policy required", + 1, 0); + if (ima_appraise & IMA_APPRAISE_ENFORCE) + result = -EACCES; + } else { result = ima_parse_add_rule(data); + } mutex_unlock(&ima_write_mutex); out_free: kfree(data); |