summaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-05-12 21:14:23 +0200
committerJames Morris <jmorris@namei.org>2009-05-15 01:55:44 +0200
commitc3d20103d08e5c0b6738fbd0acf3ca004e5356c5 (patch)
tree4231ff475f11231b3cbca949a7bcad37a9a8cc17 /security/integrity
parentIMA: remove read permissions on the ima policy file (diff)
downloadlinux-c3d20103d08e5c0b6738fbd0acf3ca004e5356c5.tar.xz
linux-c3d20103d08e5c0b6738fbd0acf3ca004e5356c5.zip
IMA: do not measure everything opened by root by default
The IMA default policy measures every single file opened by root. This is terrible for most users. Consider a system (like mine) with virtual machine images. When those images are touched (which happens at boot for me) those images are measured. This is just way too much for the default case. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima_policy.c2
1 files changed, 0 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index b168c1d595ce..dec6dcb1c8de 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -61,8 +61,6 @@ static struct ima_measure_rule_entry default_rules[] = {
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
- {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
- .flags = IMA_FUNC | IMA_MASK | IMA_UID}
};
static LIST_HEAD(measure_default_rules);