tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ima: add dont_audit action to suppress audit actions

"measure", "appraise" and "hash" actions all have corresponding "dont_*"
actions, but "audit" currently lacks that. This means it is not
currently possible to have a policy that audits everything by default,
but excludes specific cases.

This seems to have been an oversight back when the "audit" action was
added.

Add a corresponding "dont_audit" action to enable such uses.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Jann Horn and committed by
Mimi Zohar 345123d6 8f3fc4f3

+14 -2
+1 -1
Documentation/ABI/testing/ima_policy
··· 20 20 rule format: action [condition ...] 21 21 22 22 action: measure | dont_measure | appraise | dont_appraise | 23 - audit | hash | dont_hash 23 + audit | dont_audit | hash | dont_hash 24 24 condition:= base | lsm [option] 25 25 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=] 26 26 [uid=] [euid=] [gid=] [egid=]
+13 -1
security/integrity/ima/ima_policy.c
··· 45 45 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 46 46 #define DONT_APPRAISE 0x0008 47 47 #define AUDIT 0x0040 48 + #define DONT_AUDIT 0x0080 48 49 #define HASH 0x0100 49 50 #define DONT_HASH 0x0200 50 51 ··· 1065 1064 enum policy_opt { 1066 1065 Opt_measure, Opt_dont_measure, 1067 1066 Opt_appraise, Opt_dont_appraise, 1068 - Opt_audit, Opt_hash, Opt_dont_hash, 1067 + Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash, 1069 1068 Opt_obj_user, Opt_obj_role, Opt_obj_type, 1070 1069 Opt_subj_user, Opt_subj_role, Opt_subj_type, 1071 1070 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid, ··· 1087 1086 {Opt_appraise, "appraise"}, 1088 1087 {Opt_dont_appraise, "dont_appraise"}, 1089 1088 {Opt_audit, "audit"}, 1089 + {Opt_dont_audit, "dont_audit"}, 1090 1090 {Opt_hash, "hash"}, 1091 1091 {Opt_dont_hash, "dont_hash"}, 1092 1092 {Opt_obj_user, "obj_user=%s"}, ··· 1479 1477 result = -EINVAL; 1480 1478 1481 1479 entry->action = AUDIT; 1480 + break; 1481 + case Opt_dont_audit: 1482 + ima_log_string(ab, "action", "dont_audit"); 1483 + 1484 + if (entry->action != UNKNOWN) 1485 + result = -EINVAL; 1486 + 1487 + entry->action = DONT_AUDIT; 1482 1488 break; 1483 1489 case Opt_hash: 1484 1490 ima_log_string(ab, "action", "hash"); ··· 2107 2097 seq_puts(m, pt(Opt_dont_appraise)); 2108 2098 if (entry->action & AUDIT) 2109 2099 seq_puts(m, pt(Opt_audit)); 2100 + if (entry->action & DONT_AUDIT) 2101 + seq_puts(m, pt(Opt_dont_audit)); 2110 2102 if (entry->action & HASH) 2111 2103 seq_puts(m, pt(Opt_hash)); 2112 2104 if (entry->action & DONT_HASH)