Commit 345123d6 authored by Jann Horn's avatar Jann Horn Committed by Mimi Zohar
Browse files

ima: add dont_audit action to suppress audit actions 



"measure", "appraise" and "hash" actions all have corresponding "dont_*"
actions, but "audit" currently lacks that. This means it is not
currently possible to have a policy that audits everything by default,
but excludes specific cases.

This seems to have been an oversight back when the "audit" action was
added.

Add a corresponding "dont_audit" action to enable such uses.

Signed-off-by: default avatarJann Horn <jannh@google.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 8f3fc4f3

Documentation/ABI/testing/ima_policy

+1 −1
Original line number Diff line number Diff line
@@ -20,7 +20,7 @@ Description: 
		  rule format: action [condition ...]



		  action: measure | dont_measure | appraise | dont_appraise |

			  audit | hash | dont_hash

			  audit | dont_audit | hash | dont_hash

		  condition:= base | lsm  [option]

			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]

				[uid=] [euid=] [gid=] [egid=]

security/integrity/ima/ima_policy.c

+13 −1
Original line number Diff line number Diff line
@@ -45,6 +45,7 @@ 
#define APPRAISE	0x0004	/* same as IMA_APPRAISE */

#define DONT_APPRAISE	0x0008

#define AUDIT		0x0040

#define DONT_AUDIT	0x0080

#define HASH		0x0100

#define DONT_HASH	0x0200
@@ -1064,7 +1065,7 @@ void ima_update_policy(void) 
enum policy_opt {

	Opt_measure, Opt_dont_measure,

	Opt_appraise, Opt_dont_appraise,

	Opt_audit, Opt_hash, Opt_dont_hash,

	Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash,

	Opt_obj_user, Opt_obj_role, Opt_obj_type,

	Opt_subj_user, Opt_subj_role, Opt_subj_type,

	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid,
@@ -1086,6 +1087,7 @@ static const match_table_t policy_tokens = { 
	{Opt_appraise, "appraise"},

	{Opt_dont_appraise, "dont_appraise"},

	{Opt_audit, "audit"},

	{Opt_dont_audit, "dont_audit"},

	{Opt_hash, "hash"},

	{Opt_dont_hash, "dont_hash"},

	{Opt_obj_user, "obj_user=%s"},
@@ -1478,6 +1480,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 


			entry->action = AUDIT;

			break;

		case Opt_dont_audit:

			ima_log_string(ab, "action", "dont_audit");



			if (entry->action != UNKNOWN)

				result = -EINVAL;



			entry->action = DONT_AUDIT;

			break;

		case Opt_hash:

			ima_log_string(ab, "action", "hash");
@@ -2097,6 +2107,8 @@ int ima_policy_show(struct seq_file *m, void *v) 
		seq_puts(m, pt(Opt_dont_appraise));

	if (entry->action & AUDIT)

		seq_puts(m, pt(Opt_audit));

	if (entry->action & DONT_AUDIT)

		seq_puts(m, pt(Opt_dont_audit));

	if (entry->action & HASH)

		seq_puts(m, pt(Opt_hash));

	if (entry->action & DONT_HASH)