Commit 33ce9549 authored by Mimi Zohar's avatar Mimi Zohar
Browse files

ima: extend the "ima_policy" boot command line to support multiple policies



Add support for providing multiple builtin policies on the "ima_policy="
boot command line.  Use "|" as the delimitor separating the policy names.
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent cdac74dd
...@@ -1477,12 +1477,17 @@ ...@@ -1477,12 +1477,17 @@
in crypto/hash_info.h. in crypto/hash_info.h.
ima_policy= [IMA] ima_policy= [IMA]
The builtin measurement policy to load during IMA The builtin policies to load during IMA setup.
setup. Specyfing "tcb" as the value, measures all Format: "tcb | appraise_tcb"
programs exec'd, files mmap'd for exec, and all files
opened with the read mode bit set by either the The "tcb" policy measures all programs exec'd, files
effective uid (euid=0) or uid=0. mmap'd for exec, and all files opened with the read
Format: "tcb" mode bit set by either the effective uid (euid=0) or
uid=0.
The "appraise_tcb" policy appraises the integrity of
all files owned by root. (This is the equivalent
of ima_appraise_tcb.)
ima_tcb [IMA] Deprecated. Use ima_policy= instead. ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted Load a policy which meets the needs of the Trusted
......
...@@ -170,19 +170,24 @@ static int __init default_measure_policy_setup(char *str) ...@@ -170,19 +170,24 @@ static int __init default_measure_policy_setup(char *str)
} }
__setup("ima_tcb", default_measure_policy_setup); __setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata;
static int __init policy_setup(char *str) static int __init policy_setup(char *str)
{ {
if (ima_policy) char *p;
return 1;
if (strcmp(str, "tcb") == 0) while ((p = strsep(&str, " |\n")) != NULL) {
ima_policy = DEFAULT_TCB; if (*p == ' ')
continue;
if ((strcmp(p, "tcb") == 0) && !ima_policy)
ima_policy = DEFAULT_TCB;
else if (strcmp(p, "appraise_tcb") == 0)
ima_use_appraise_tcb = 1;
}
return 1; return 1;
} }
__setup("ima_policy=", policy_setup); __setup("ima_policy=", policy_setup);
static bool ima_use_appraise_tcb __initdata;
static int __init default_appraise_policy_setup(char *str) static int __init default_appraise_policy_setup(char *str)
{ {
ima_use_appraise_tcb = 1; ima_use_appraise_tcb = 1;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment