diff options
| author | Kyle McMartin <kyle@redhat.com> | 2011-05-14 11:10:56 -0400 |
|---|---|---|
| committer | Kyle McMartin <kyle@redhat.com> | 2011-05-14 11:11:01 -0400 |
| commit | 9787d244d77869af27c5382d0c4ddc92cf439a11 (patch) | |
| tree | 28ed62c5279f55cbbafdac555c3e3f9a8ac5c987 /ima-allow-it-to-be-completely-disabled-and-default-off.patch | |
| parent | 480eadaeb57b1f12a3f47aff25ed7001f3387842 (diff) | |
| download | kernel-9787d244d77869af27c5382d0c4ddc92cf439a11.tar.gz kernel-9787d244d77869af27c5382d0c4ddc92cf439a11.tar.xz kernel-9787d244d77869af27c5382d0c4ddc92cf439a11.zip | |
tmpfs: implement generic xattr support
Merge Eric Paris' patch to add xattr support to tmpfs, so that it can be
used to host mockroots for mass rebuilds.
Drop IMA disabling patch, which is no longer necessary since it's run time
(but unused) cost is now minimized.
Diffstat (limited to 'ima-allow-it-to-be-completely-disabled-and-default-off.patch')
| -rw-r--r-- | ima-allow-it-to-be-completely-disabled-and-default-off.patch | 145 |
1 files changed, 0 insertions, 145 deletions
diff --git a/ima-allow-it-to-be-completely-disabled-and-default-off.patch b/ima-allow-it-to-be-completely-disabled-and-default-off.patch deleted file mode 100644 index 4f8f1f18..00000000 --- a/ima-allow-it-to-be-completely-disabled-and-default-off.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 785465d9cffd65b5a69dd2f465d2f7c917713220 Mon Sep 17 00:00:00 2001 -From: Kyle McMartin <kyle@mcmartin.ca> -Date: Mon, 18 Oct 2010 13:30:39 -0400 -Subject: [PATCH] ima: provide a toggle to disable it entirely - -Signed-off-by: Kyle McMartin <kyle@redhat.com> ---- - security/integrity/ima/ima.h | 1 + - security/integrity/ima/ima_iint.c | 9 +++++++++ - security/integrity/ima/ima_main.c | 24 +++++++++++++++++++++--- - 3 files changed, 31 insertions(+), 3 deletions(-) - -diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h -index 3fbcd1d..65c3977 100644 ---- a/security/integrity/ima/ima.h -+++ b/security/integrity/ima/ima.h -@@ -37,6 +37,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; - /* set during initialization */ - extern int iint_initialized; - extern int ima_initialized; -+extern int ima_enabled; - extern int ima_used_chip; - extern char *ima_hash; - -diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c -index afba4ae..3d191ef 100644 ---- a/security/integrity/ima/ima_iint.c -+++ b/security/integrity/ima/ima_iint.c -@@ -54,6 +54,9 @@ int ima_inode_alloc(struct inode *inode) - struct ima_iint_cache *iint = NULL; - int rc = 0; - -+ if (!ima_enabled) -+ return 0; -+ - iint = kmem_cache_alloc(iint_cache, GFP_NOFS); - if (!iint) - return -ENOMEM; -@@ -116,6 +119,9 @@ void ima_inode_free(struct inode *inode) - { - struct ima_iint_cache *iint; - -+ if (!ima_enabled) -+ return; -+ - spin_lock(&ima_iint_lock); - iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode); - spin_unlock(&ima_iint_lock); -@@ -139,6 +145,9 @@ static void init_once(void *foo) - - static int __init ima_iintcache_init(void) - { -+ if (!ima_enabled) -+ return 0; -+ - iint_cache = - kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0, - SLAB_PANIC, init_once); -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index e662b89..6e91905 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -26,6 +26,7 @@ - #include "ima.h" - - int ima_initialized; -+int ima_enabled; - - char *ima_hash = "sha1"; - static int __init hash_setup(char *str) -@@ -36,6 +37,14 @@ static int __init hash_setup(char *str) - } - __setup("ima_hash=", hash_setup); - -+static int __init ima_enable(char *str) -+{ -+ if (strncmp(str, "on", 2) == 0) -+ ima_enabled = 1; -+ return 1; -+} -+__setup("ima=", ima_enable); -+ - struct ima_imbalance { - struct hlist_node node; - unsigned long fsmagic; -@@ -148,7 +157,7 @@ void ima_counts_get(struct file *file) - struct ima_iint_cache *iint; - int rc; - -- if (!iint_initialized || !S_ISREG(inode->i_mode)) -+ if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode)) - return; - iint = ima_iint_find_get(inode); - if (!iint) -@@ -215,7 +224,7 @@ void ima_file_free(struct file *file) - struct inode *inode = file->f_dentry->d_inode; - struct ima_iint_cache *iint; - -- if (!iint_initialized || !S_ISREG(inode->i_mode)) -+ if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode)) - return; - iint = ima_iint_find_get(inode); - if (!iint) -@@ -269,7 +278,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) - { - int rc; - -- if (!file) -+ if (!ima_enabled || !file) - return 0; - if (prot & PROT_EXEC) - rc = process_measurement(file, file->f_dentry->d_name.name, -@@ -294,6 +303,9 @@ int ima_bprm_check(struct linux_binprm *bprm) - { - int rc; - -+ if (!ima_enabled) -+ return 0; -+ - rc = process_measurement(bprm->file, bprm->filename, - MAY_EXEC, BPRM_CHECK); - return 0; -@@ -313,6 +325,9 @@ int ima_file_check(struct file *file, int mask) - { - int rc; - -+ if (!ima_enabled) -+ return 0; -+ - rc = process_measurement(file, file->f_dentry->d_name.name, - mask & (MAY_READ | MAY_WRITE | MAY_EXEC), - FILE_CHECK); -@@ -324,6 +339,9 @@ static int __init init_ima(void) - { - int error; - -+ if (!ima_enabled) -+ return 0; -+ - error = ima_init(); - ima_initialized = 1; - return error; --- -1.7.3.1 - |