Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
PUBLIC_REPOS
/
ti-processor-sdk-linux
2
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Эх сурвалжийг харах

ima: skip measurement of cgroupfs files and update documentation

This patch adds a rule in the default measurement policy to skip inodes
in the cgroupfs filesystem. Measurements for this filesystem can be
avoided, as all the digests collected have the same value of the digest of
an empty file.

Furthermore, this patch updates the documentation of IMA policies in
Documentation/ABI/testing/ima_policy to make it consistent with
the policies set in security/integrity/ima/ima_policy.c.

Signed-off-by: Roberto Sassu <rsassu@suse.de>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Roberto Sassu 10 жил өмнө
parent
8265a2f89c
commit
6438de9f3f
2 өөрчлөгдсөн 14 нэмэгдсэн , 5 устгасан
Өөрчлөлтийг ялгаж харах Өөрчлөлтийн статистик харах
  1. 12 5
      Documentation/ABI/testing/ima_policy
  2. 2 0
      security/integrity/ima/ima_policy.c

+ 12 - 5
Documentation/ABI/testing/ima_policy
Файл харах 

@@ -49,11 +49,22 @@ Description:
 
 			dont_measure fsmagic=0x01021994
 
 			dont_appraise fsmagic=0x01021994
 
 			# RAMFS_MAGIC
 
-			dont_measure fsmagic=0x858458f6
 
 			dont_appraise fsmagic=0x858458f6
 
+			# DEVPTS_SUPER_MAGIC
 
+			dont_measure fsmagic=0x1cd1
 
+			dont_appraise fsmagic=0x1cd1
 
+			# BINFMTFS_MAGIC
 
+			dont_measure fsmagic=0x42494e4d
 
+			dont_appraise fsmagic=0x42494e4d
 
 			# SECURITYFS_MAGIC
 
 			dont_measure fsmagic=0x73636673
 
 			dont_appraise fsmagic=0x73636673
 
+			# SELINUX_MAGIC
 
+			dont_measure fsmagic=0xf97cff8c
 
+			dont_appraise fsmagic=0xf97cff8c
 
+			# CGROUP_SUPER_MAGIC
 
+			dont_measure fsmagic=0x27e0eb
 
+			dont_appraise fsmagic=0x27e0eb
 
 
 			measure func=BPRM_CHECK
 
 			measure func=FILE_MMAP mask=MAY_EXEC
 
@@ -70,10 +81,6 @@ Description:
 
 		Examples of LSM specific definitions:
 
 
 		SELinux:
 
-			# SELINUX_MAGIC
 
-			dont_measure fsmagic=0xf97cff8c
 
-			dont_appraise fsmagic=0xf97cff8c
 
-
 
 			dont_measure obj_type=var_log_t
 
 			dont_appraise obj_type=var_log_t
 
 			dont_measure obj_type=auditd_log_t

+ 2 - 0
security/integrity/ima/ima_policy.c
Файл харах 

@@ -79,6 +79,8 @@ static struct ima_rule_entry default_rules[] = {
 
 	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 
 	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
 
 	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 
+	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
 
+	 .flags = IMA_FSMAGIC},
 
 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
 
 	 .flags = IMA_FUNC | IMA_MASK},
 
 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,