10 years ago · c57782c13e
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -149,3 +149,10 @@ config IMA_X509_PATH
 
				 	default "/etc/keys/x509_ima.der"
			
 
				 	help
			
 
				 	   This option defines IMA X509 certificate path.
			
 
				+
			
 
				+config IMA_APPRAISE_SIGNED_INIT
			
 
				+	bool "Require signed user-space initialization"
			
 
				+	depends on IMA_LOAD_X509
			
 
				+	default n
			
 
				+	help
			
 
				+	   This option requires user-space init to be signed.
			
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -100,7 +100,13 @@ static struct ima_rule_entry default_appraise_rules[] = {
 
				 	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
			
 
				 	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
			
 
				 	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
			
 
				+#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
			
 
				 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
			
 
				+#else
			
 
				+	/* force signature */
			
 
				+	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID,
			
 
				+	 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
			
 
				+#endif
			
 
				 };
			
 
				 
			
 
				 static LIST_HEAD(ima_default_rules);