diff options
author | Mimi Zohar <zohar@linux.ibm.com> | 2018-11-15 01:24:13 +0300 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2018-12-11 15:19:46 +0300 |
commit | 060190fbe676268a04a80d5f4b426fc3db9c2401 (patch) | |
tree | 1183ef3c2681e9ffb113a661f70b839c06d45ac6 /security | |
parent | 399574c64eaf94e82b7cf056978d7e68748c0f1d (diff) | |
download | linux-060190fbe676268a04a80d5f4b426fc3db9c2401.tar.xz |
ima: don't measure/appraise files on efivarfs
Update the builtin IMA policies specified on the boot command line
(eg. ima_policy="tcb|appraise_tcb") to permit accessing efivar files.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/ima/ima_policy.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index b20770704b6c..d17a23b5c91d 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -107,7 +107,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, - {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC} + {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} }; static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { @@ -150,6 +151,7 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, #ifdef CONFIG_IMA_WRITE_POLICY |