summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRoberto Sassu <rsassu@suse.de>2015-04-11 17:13:06 +0200
committerMimi Zohar <zohar@linux.vnet.ibm.com>2015-05-21 13:27:19 -0400
commit6438de9f3fb5180d78a0422695d0b88c687757d3 (patch)
tree7053e30fd3a02863800f6234b15babe0329d1f20 /security
parent8265a2f89c8ecf526931951fa240982d1f438736 (diff)
downloadop-kernel-dev-6438de9f3fb5180d78a0422695d0b88c687757d3.zip
op-kernel-dev-6438de9f3fb5180d78a0422695d0b88c687757d3.tar.gz
ima: skip measurement of cgroupfs files and update documentation
This patch adds a rule in the default measurement policy to skip inodes in the cgroupfs filesystem. Measurements for this filesystem can be avoided, as all the digests collected have the same value of the digest of an empty file. Furthermore, this patch updates the documentation of IMA policies in Documentation/ABI/testing/ima_policy to make it consistent with the policies set in security/integrity/ima/ima_policy.c. Signed-off-by: Roberto Sassu <rsassu@suse.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima_policy.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e86b58d..e4244fc 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -79,6 +79,8 @@ static struct ima_rule_entry default_rules[] = {
{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
+ .flags = IMA_FSMAGIC},
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
OpenPOWER on IntegriCloud