|
|
@@ -440,6 +440,17 @@ void ima_update_policy_flag(void)
|
|
|
ima_policy_flag &= ~IMA_APPRAISE;
|
|
|
}
|
|
|
|
|
|
+static int ima_appraise_flag(enum ima_hooks func)
|
|
|
+{
|
|
|
+ if (func == MODULE_CHECK)
|
|
|
+ return IMA_APPRAISE_MODULES;
|
|
|
+ else if (func == FIRMWARE_CHECK)
|
|
|
+ return IMA_APPRAISE_FIRMWARE;
|
|
|
+ else if (func == POLICY_CHECK)
|
|
|
+ return IMA_APPRAISE_POLICY;
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
/**
|
|
|
* ima_init_policy - initialize the default measure rules.
|
|
|
*
|
|
|
@@ -478,9 +489,11 @@ void __init ima_init_policy(void)
|
|
|
* Insert the appraise rules requiring file signatures, prior to
|
|
|
* any other appraise rules.
|
|
|
*/
|
|
|
- for (i = 0; i < secure_boot_entries; i++)
|
|
|
- list_add_tail(&secure_boot_rules[i].list,
|
|
|
- &ima_default_rules);
|
|
|
+ for (i = 0; i < secure_boot_entries; i++) {
|
|
|
+ list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
|
|
|
+ temp_ima_appraise |=
|
|
|
+ ima_appraise_flag(secure_boot_rules[i].func);
|
|
|
+ }
|
|
|
|
|
|
for (i = 0; i < appraise_entries; i++) {
|
|
|
list_add_tail(&default_appraise_rules[i].list,
|
|
|
@@ -934,12 +947,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
|
|
|
}
|
|
|
if (!result && (entry->action == UNKNOWN))
|
|
|
result = -EINVAL;
|
|
|
- else if (entry->func == MODULE_CHECK)
|
|
|
- temp_ima_appraise |= IMA_APPRAISE_MODULES;
|
|
|
- else if (entry->func == FIRMWARE_CHECK)
|
|
|
- temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
|
|
|
- else if (entry->func == POLICY_CHECK)
|
|
|
- temp_ima_appraise |= IMA_APPRAISE_POLICY;
|
|
|
+ else if (entry->action == APPRAISE)
|
|
|
+ temp_ima_appraise |= ima_appraise_flag(entry->func);
|
|
|
+
|
|
|
audit_log_format(ab, "res=%d", !result);
|
|
|
audit_log_end(ab);
|
|
|
return result;
|
Mimi Zohar