ima: Default it to off

Pass ima=on to enable. Reduce impact of the option when disabled.
2010-10-18 12:35:00 -04:00 · 2010-10-18 12:35:00 -04:00 · 52c02bb8d1
commit 52c02bb8d1
parent dbda5f5afd
2 changed files with 283 additions and 0 deletions
--- a/ima-allow-it-to-be-completely-disabled-and-default-off.patch
+++ b/ima-allow-it-to-be-completely-disabled-and-default-off.patch
@ -0,0 +1,275 @@
 From 6887ac55c66179ecd6191c21cf9c629cb2317ca4 Mon Sep 17 00:00:00 2001
 From: Kyle McMartin <kyle@mcmartin.ca>
 Date: Mon, 18 Oct 2010 02:08:35 -0400
 Subject: [PATCH] ima: allow it to be completely disabled (and default to off)
 Allow IMA to be entirely disabled, don't even bother calling into
 the provided hooks, and avoid initializing caches.
 (A lot of the hooks will test iint_initialized, and so this doubly
 disables them, since the iint cache won't be enabled. But hey, we
 avoid a pointless branch...)
 Signed-off-by: Kyle McMartin <kyle@redhat.com>
 ---
 include/linux/ima.h               |   66 +++++++++++++++++++++++++++++++++----
 security/integrity/ima/ima_iint.c |   13 +++++--
 security/integrity/ima/ima_main.c |   34 +++++++++++++------
 3 files changed, 91 insertions(+), 22 deletions(-)
 diff --git a/include/linux/ima.h b/include/linux/ima.h
 index 975837e..2fa456d 100644
 --- a/include/linux/ima.h
 +++ b/include/linux/ima.h
@@ -14,13 +14,65 @@
 struct linux_binprm;
 #ifdef CONFIG_IMA
 -extern int ima_bprm_check(struct linux_binprm *bprm);
 -extern int ima_inode_alloc(struct inode *inode);
 -extern void ima_inode_free(struct inode *inode);
 -extern int ima_file_check(struct file *file, int mask);
 -extern void ima_file_free(struct file *file);
 -extern int ima_file_mmap(struct file *file, unsigned long prot);
 -extern void ima_counts_get(struct file *file);
 +
 +extern int ima_enabled;
 +
 +extern int __ima_bprm_check(struct linux_binprm *bprm);
 +extern int __ima_inode_alloc(struct inode *inode);
 +extern void __ima_inode_free(struct inode *inode);
 +extern int __ima_file_check(struct file *file, int mask);
 +extern void __ima_file_free(struct file *file);
 +extern int __ima_file_mmap(struct file *file, unsigned long prot);
 +extern void __ima_counts_get(struct file *file);
 +
 +static inline int ima_bprm_check(struct linux_binprm *bprm)
 +{
 +	if (ima_enabled)
 +		return __ima_bprm_check(bprm);
 +	return 0;
 +}
 +
 +static inline int ima_inode_alloc(struct inode *inode)
 +{
 +	if (ima_enabled)
 +		return __ima_inode_alloc(inode);
 +	return 0;
 +}
 +
 +static inline void ima_inode_free(struct inode *inode)
 +{
 +	if (ima_enabled)
 +		__ima_inode_free(inode);
 +	return;
 +}
 +
 +static inline int ima_file_check(struct file *file, int mask)
 +{
 +	if (ima_enabled)
 +		return __ima_file_check(file, mask);
 +	return 0;
 +}
 +
 +static inline void ima_file_free(struct file *file)
 +{
 +	if (ima_enabled)
 +		__ima_file_free(file);
 +	return;
 +}
 +
 +static inline int ima_file_mmap(struct file *file, unsigned long prot)
 +{
 +	if (ima_enabled)
 +		return __ima_file_mmap(file, prot);
 +	return 0;
 +}
 +
 +static inline void ima_counts_get(struct file *file)
 +{
 +	if (ima_enabled)
 +		return __ima_counts_get(file);
 +	return;
 +}
 #else
 static inline int ima_bprm_check(struct linux_binprm *bprm)
 diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c
 index afba4ae..767f026 100644
 --- a/security/integrity/ima/ima_iint.c
 +++ b/security/integrity/ima/ima_iint.c
@@ -46,10 +46,10 @@ out:
 }
 /**
 - * ima_inode_alloc - allocate an iint associated with an inode
 + * __ima_inode_alloc - allocate an iint associated with an inode
  * @inode: pointer to the inode
  */
 -int ima_inode_alloc(struct inode *inode)
 +int __ima_inode_alloc(struct inode *inode)
 {
 	struct ima_iint_cache *iint = NULL;
 	int rc = 0;
@@ -107,12 +107,12 @@ void iint_rcu_free(struct rcu_head *rcu_head)
 }
 /**
 - * ima_inode_free - called on security_inode_free
 + * __ima_inode_free - called on security_inode_free
  * @inode: pointer to the inode
  *
  * Free the integrity information(iint) associated with an inode.
  */
 -void ima_inode_free(struct inode *inode)
 +void __ima_inode_free(struct inode *inode)
 {
 	struct ima_iint_cache *iint;
@@ -139,6 +139,11 @@ static void init_once(void *foo)
 static int __init ima_iintcache_init(void)
 {
 +	extern int ima_enabled;
 +
 +	if (!ima_enabled)
 +		return 0;
 +
 	iint_cache =
 	    kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
 			      SLAB_PANIC, init_once);
 diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
 index e662b89..92e084c 100644
 --- a/security/integrity/ima/ima_main.c
 +++ b/security/integrity/ima/ima_main.c
@@ -26,6 +26,7 @@
 #include "ima.h"
 int ima_initialized;
 +int ima_enabled = 0;
 char *ima_hash = "sha1";
 static int __init hash_setup(char *str)
@@ -36,6 +37,14 @@ static int __init hash_setup(char *str)
 }
 __setup("ima_hash=", hash_setup);
 +static int __init ima_enable(char *str)
 +{
 +	if (strncmp(str, "on", 2) == 0)
 +		ima_enabled = 1;
 +	return 1;
 +}
 +__setup("ima=", ima_enable);
 +
 struct ima_imbalance {
 	struct hlist_node node;
 	unsigned long fsmagic;
@@ -130,7 +139,7 @@ static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode)
 }
 /*
 - * ima_counts_get - increment file counts
 + * __ima_counts_get - increment file counts
  *
  * Maintain read/write counters for all files, but only
  * invalidate the PCR for measured files:
@@ -140,7 +149,7 @@ static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode)
  * 	  could result in a file measurement error.
  *
  */
 -void ima_counts_get(struct file *file)
 +void __ima_counts_get(struct file *file)
 {
 	struct dentry *dentry = file->f_path.dentry;
 	struct inode *inode = dentry->d_inode;
@@ -204,13 +213,13 @@ static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode,
 }
 /**
 - * ima_file_free - called on __fput()
 + * __ima_file_free - called on __fput()
  * @file: pointer to file structure being freed
  *
  * Flag files that changed, based on i_version;
  * and decrement the iint readcount/writecount.
  */
 -void ima_file_free(struct file *file)
 +void __ima_file_free(struct file *file)
 {
 	struct inode *inode = file->f_dentry->d_inode;
 	struct ima_iint_cache *iint;
@@ -255,7 +264,7 @@ out:
 }
 /**
 - * ima_file_mmap - based on policy, collect/store measurement.
 + * __ima_file_mmap - based on policy, collect/store measurement.
  * @file: pointer to the file to be measured (May be NULL)
  * @prot: contains the protection that will be applied by the kernel.
  *
@@ -265,7 +274,7 @@ out:
  * Return 0 on success, an error code on failure.
  * (Based on the results of appraise_measurement().)
  */
 -int ima_file_mmap(struct file *file, unsigned long prot)
 +int __ima_file_mmap(struct file *file, unsigned long prot)
 {
 	int rc;
@@ -278,7 +287,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
 }
 /**
 - * ima_bprm_check - based on policy, collect/store measurement.
 + * __ima_bprm_check - based on policy, collect/store measurement.
  * @bprm: contains the linux_binprm structure
  *
  * The OS protects against an executable file, already open for write,
@@ -290,7 +299,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
  * Return 0 on success, an error code on failure.
  * (Based on the results of appraise_measurement().)
  */
 -int ima_bprm_check(struct linux_binprm *bprm)
 +int __ima_bprm_check(struct linux_binprm *bprm)
 {
 	int rc;
@@ -300,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
 }
 /**
 - * ima_path_check - based on policy, collect/store measurement.
 + * __ima_path_check - based on policy, collect/store measurement.
  * @file: pointer to the file to be measured
  * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
  *
@@ -309,7 +318,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
  * Always return 0 and audit dentry_open failures.
  * (Return code will be based upon measurement appraisal.)
  */
 -int ima_file_check(struct file *file, int mask)
 +int __ima_file_check(struct file *file, int mask)
 {
 	int rc;
@@ -318,12 +327,15 @@ int ima_file_check(struct file *file, int mask)
 				 FILE_CHECK);
 	return 0;
 }
 -EXPORT_SYMBOL_GPL(ima_file_check);
 +EXPORT_SYMBOL_GPL(__ima_file_check);
 static int __init init_ima(void)
 {
 	int error;
 +	if (!ima_enabled)
 +		return 0;
 +
 	error = ima_init();
 	ima_initialized = 1;
 	return error;
 -- 
 1.7.3.1
--- a/kernel.spec
+++ b/kernel.spec
@ -727,6 +727,8 @@ Patch12302: pnpacpi-cope-with-invalid-device-ids.patch
 Patch12303: dmar-disable-when-ricoh-multifunction.patch
 Patch12304: ima-allow-it-to-be-completely-disabled-and-default-off.patch
 %endif
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1343,6 +1345,8 @@ ApplyPatch pnpacpi-cope-with-invalid-device-ids.patch
 # rhbz#605888
 ApplyPatch dmar-disable-when-ricoh-multifunction.patch
 ApplyPatch ima-allow-it-to-be-completely-disabled-and-default-off.patch
 # END OF PATCH APPLICATIONS
 %endif
@ -1950,6 +1954,10 @@ fi
 #                 ||     ||
 %changelog
 * Mon Oct 18 2010 Kyle McMartin <kyle@redhat.com>
 - ima: Default it to off, pass ima=on to enable. Reduce impact of the option
  when disabled.
 * Mon Oct 18 2010 Kyle McMartin <kyle@redhat.com>
 - Quirk to disable DMAR with Ricoh card reader/firewire. (rhbz#605888)