This patch moves the integrity_audit_msg() function and defintion to
security/integrity/, the parent directory, renames the 'ima_audit'
boot command line option to 'integrity_audit', and fixes the Kconfig
help text to reflect the actual code.
Changelog:
- Fixed ifdef inclusion of integrity_audit_msg() (Fengguang Wu)
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
The builtin appraise policy appraises all files
owned by uid=0.
The builtin appraise policy appraises all files
owned by uid=0.
- ima_audit= [IMA]
- Format: { "0" | "1" }
- 0 -- integrity auditing messages. (Default)
- 1 -- enable informational integrity auditing messages.
-
ima_hash= [IMA]
Format: { "sha1" | "md5" }
default: "sha1"
ima_hash= [IMA]
Format: { "sha1" | "md5" }
default: "sha1"
inport.irq= [HW] Inport (ATI XL and Microsoft) busmouse driver
Format: <irq>
inport.irq= [HW] Inport (ATI XL and Microsoft) busmouse driver
Format: <irq>
+ integrity_audit=[IMA]
+ Format: { "0" | "1" }
+ 0 -- basic integrity auditing messages. (Default)
+ 1 -- additional integrity auditing messages.
+
intel_iommu= [DMAR] Intel IOMMU driver (DMAR) option
on
Enable intel iommu driver.
intel_iommu= [DMAR] Intel IOMMU driver (DMAR) option
on
Enable intel iommu driver.
This is useful for evm and module keyrings, when keys are
usually only added from initramfs.
This is useful for evm and module keyrings, when keys are
usually only added from initramfs.
+config INTEGRITY_AUDIT
+ bool "Enables integrity auditing support "
+ depends on INTEGRITY && AUDIT
+ default y
+ help
+ In addition to enabling integrity auditing support, this
+ option adds a kernel parameter 'integrity_audit', which
+ controls the level of integrity auditing messages.
+ 0 - basic integrity auditing messages (default)
+ 1 - additional integrity auditing messages
+
+ Additional informational integrity auditing messages would
+ be enabled by specifying 'integrity_audit=1' on the kernel
+ command line.
+
config INTEGRITY_ASYMMETRIC_KEYS
boolean "Enable asymmetric keys support"
depends on INTEGRITY_SIGNATURE
config INTEGRITY_ASYMMETRIC_KEYS
boolean "Enable asymmetric keys support"
depends on INTEGRITY_SIGNATURE
#
obj-$(CONFIG_INTEGRITY) += integrity.o
#
obj-$(CONFIG_INTEGRITY) += integrity.o
+obj-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o
obj-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
obj-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
obj-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
obj-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
that IMA uses to maintain the integrity aggregate of the
measurement list. If unsure, use the default 10.
that IMA uses to maintain the integrity aggregate of the
measurement list. If unsure, use the default 10.
-config IMA_AUDIT
- bool "Enables auditing support"
- depends on IMA
- depends on AUDIT
- default y
- help
- This option adds a kernel parameter 'ima_audit', which
- allows informational auditing messages to be enabled
- at boot. If this option is selected, informational integrity
- auditing messages can be enabled with 'ima_audit=1' on
- the kernel command line.
-
config IMA_LSM_RULES
bool
depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
config IMA_LSM_RULES
bool
depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
ima_policy.o
ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
ima_policy.o
-ima-$(CONFIG_IMA_AUDIT) += ima_audit.o
ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
};
extern struct list_head ima_measurements; /* list of all measurements */
};
extern struct list_head ima_measurements; /* list of all measurements */
-#ifdef CONFIG_IMA_AUDIT
-/* declarations */
-void integrity_audit_msg(int audit_msgno, struct inode *inode,
- const unsigned char *fname, const char *op,
- const char *cause, int result, int info);
-#else
-static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
- const unsigned char *fname,
- const char *op, const char *cause,
- int result, int info)
-{
-}
-#endif
-
/* Internal IMA function definitions */
int ima_init(void);
void ima_cleanup(void);
/* Internal IMA function definitions */
int ima_init(void);
void ima_cleanup(void);
+#ifdef CONFIG_INTEGRITY_AUDIT
+/* declarations */
+void integrity_audit_msg(int audit_msgno, struct inode *inode,
+ const unsigned char *fname, const char *op,
+ const char *cause, int result, int info);
+#else
+static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
+ const unsigned char *fname,
+ const char *op, const char *cause,
+ int result, int info)
+{
+}
+#endif
+
/* set during initialization */
extern int iint_initialized;
/* set during initialization */
extern int iint_initialized;
#include <linux/fs.h>
#include <linux/gfp.h>
#include <linux/audit.h>
#include <linux/fs.h>
#include <linux/gfp.h>
#include <linux/audit.h>
+static int integrity_audit_info;
/* ima_audit_setup - enable informational auditing messages */
/* ima_audit_setup - enable informational auditing messages */
-static int __init ima_audit_setup(char *str)
+static int __init integrity_audit_setup(char *str)
{
unsigned long audit;
if (!strict_strtoul(str, 0, &audit))
{
unsigned long audit;
if (!strict_strtoul(str, 0, &audit))
- ima_audit = audit ? 1 : 0;
+ integrity_audit_info = audit ? 1 : 0;
-__setup("ima_audit=", ima_audit_setup);
+__setup("integrity_audit=", integrity_audit_setup);
void integrity_audit_msg(int audit_msgno, struct inode *inode,
const unsigned char *fname, const char *op,
void integrity_audit_msg(int audit_msgno, struct inode *inode,
const unsigned char *fname, const char *op,
{
struct audit_buffer *ab;
{
struct audit_buffer *ab;
- if (!ima_audit && audit_info == 1) /* Skip informational messages */
+ if (!integrity_audit_info && audit_info == 1) /* Skip info messages */
return;
ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
return;
ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);