From c1c4696c555c215d2ac354527059b10f76198caf Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Mon, 29 Nov 2010 22:22:51 -0500 Subject: [PATCH] allow ima to be opt-in like in f14 --- ...-completely-disabled-and-default-off.patch | 142 ++++++++++++++++++ kernel.spec | 9 ++ 2 files changed, 151 insertions(+) create mode 100644 ima-allow-it-to-be-completely-disabled-and-default-off.patch diff --git a/ima-allow-it-to-be-completely-disabled-and-default-off.patch b/ima-allow-it-to-be-completely-disabled-and-default-off.patch new file mode 100644 index 000000000..16f3fb1d9 --- /dev/null +++ b/ima-allow-it-to-be-completely-disabled-and-default-off.patch @@ -0,0 +1,142 @@ +From 785465d9cffd65b5a69dd2f465d2f7c917713220 Mon Sep 17 00:00:00 2001 +From: Kyle McMartin +Date: Mon, 18 Oct 2010 13:30:39 -0400 +Subject: [PATCH] ima: provide a toggle to disable it entirely + +Signed-off-by: Kyle McMartin +--- + security/integrity/ima/ima.h | 1 + + security/integrity/ima/ima_iint.c | 9 +++++++++ + security/integrity/ima/ima_main.c | 24 +++++++++++++++++++++--- + 3 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c +index afba4ae..3d191ef 100644 +--- a/security/integrity/ima/ima_iint.c ++++ b/security/integrity/ima/ima_iint.c +@@ -54,6 +54,9 @@ int ima_inode_alloc(struct inode *inode) + struct ima_iint_cache *iint = NULL; + int rc = 0; + ++ if (!ima_enabled) ++ return 0; ++ + iint = kmem_cache_alloc(iint_cache, GFP_NOFS); + if (!iint) + return -ENOMEM; +@@ -116,6 +119,9 @@ void ima_inode_free(struct inode *inode) + { + struct ima_iint_cache *iint; + ++ if (!ima_enabled) ++ return; ++ + spin_lock(&ima_iint_lock); + iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode); + spin_unlock(&ima_iint_lock); +@@ -139,6 +145,9 @@ static void init_once(void *foo) + + static int __init ima_iintcache_init(void) + { ++ if (!ima_enabled) ++ return 0; ++ + iint_cache = + kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0, + SLAB_PANIC, init_once); +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index e662b89..6e91905 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -26,6 +26,7 @@ + #include "ima.h" + + int ima_initialized; ++int ima_enabled; + + char *ima_hash = "sha1"; + static int __init hash_setup(char *str) +@@ -36,6 +37,14 @@ static int __init hash_setup(char *str) + } + __setup("ima_hash=", hash_setup); + ++static int __init ima_enable(char *str) ++{ ++ if (strncmp(str, "on", 2) == 0) ++ ima_enabled = 1; ++ return 1; ++} ++__setup("ima=", ima_enable); ++ + struct ima_imbalance { + struct hlist_node node; + unsigned long fsmagic; +@@ -148,7 +157,7 @@ void ima_counts_get(struct file *file) + struct ima_iint_cache *iint; + int rc; + +- if (!ima_initialized || !S_ISREG(inode->i_mode)) ++ if (!ima_enabled || !ima_initialized || !S_ISREG(inode->i_mode)) + return; + iint = ima_iint_find_get(inode); + if (!iint) +@@ -215,7 +224,7 @@ void ima_file_free(struct file *file) + struct inode *inode = file->f_dentry->d_inode; + struct ima_iint_cache *iint; + +- if (!ima_initialized || !S_ISREG(inode->i_mode)) ++ if (!ima_enabled || !ima_initialized || !S_ISREG(inode->i_mode)) + return; + iint = ima_iint_find_get(inode); + if (!iint) +@@ -269,7 +278,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) + { + int rc; + +- if (!file) ++ if (!ima_enabled || !file) + return 0; + if (prot & PROT_EXEC) + rc = process_measurement(file, file->f_dentry->d_name.name, +@@ -294,6 +303,9 @@ int ima_bprm_check(struct linux_binprm *bprm) + { + int rc; + ++ if (!ima_enabled) ++ return 0; ++ + rc = process_measurement(bprm->file, bprm->filename, + MAY_EXEC, BPRM_CHECK); + return 0; +@@ -313,6 +325,9 @@ int ima_file_check(struct file *file, int mask) + { + int rc; + ++ if (!ima_enabled) ++ return 0; ++ + rc = process_measurement(file, file->f_dentry->d_name.name, + mask & (MAY_READ | MAY_WRITE | MAY_EXEC), + FILE_CHECK); +@@ -324,6 +339,9 @@ static int __init init_ima(void) + { + int error; + ++ if (!ima_enabled) ++ return 0; ++ + error = ima_init(); + ima_initialized = 1; + return error; +diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h +index 47fb65d..8919c4e 100644 +--- a/security/integrity/ima/ima.h ++++ b/security/integrity/ima/ima.h +@@ -36,6 +36,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; + + /* set during initialization */ + extern int ima_initialized; ++extern int ima_enabled; + extern int ima_used_chip; + extern char *ima_hash; + diff --git a/kernel.spec b/kernel.spec index f3d5b6e9e..b9b2a5dbc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -870,6 +870,8 @@ Patch13800: xfs-track-ags-with-reclaimable-inodes-in-per-ag-radix-tree.patch Patch13801: xfs-simplify-and-remove-xfs_ireclaim.patch Patch13802: xfs-properly-account-for-reclaimed-inodes.patch +Patch13900: ima-allow-it-to-be-completely-disabled-and-default-off.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1660,6 +1662,9 @@ ApplyPatch xfs-track-ags-with-reclaimable-inodes-in-per-ag-radix-tree.patch ApplyPatch xfs-simplify-and-remove-xfs_ireclaim.patch ApplyPatch xfs-properly-account-for-reclaimed-inodes.patch +# disable IMA by default as we did in F-14 +ApplyPatch ima-allow-it-to-be-completely-disabled-and-default-off.patch + # END OF PATCH APPLICATIONS %endif @@ -2281,6 +2286,10 @@ fi %changelog +* Mon Nov 29 2010 Kyle McMartin +- Make ima an opt-in parameter like we did in F-14. Pass ima=on if you want + it enabled. + * Mon Nov 29 2010 Kyle McMartin - Backport XFS fixes for the kernel.org xfs boog. [4d4e307a] Needed two other backports to simplify life.