summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2017-04-24 22:06:49 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2017-06-21 14:37:12 -0400
commite1f5e01f4b035ced1c71b40866e4e5c0508fbb0b (patch)
treed17fa7316999c9dd88e05d061c2d34b168f54661
parent503ceaef8e2e7dbbdb04a867acc6fe4c548ede7f (diff)
downloadlinux-e1f5e01f4b035ced1c71b40866e4e5c0508fbb0b.tar.gz
linux-e1f5e01f4b035ced1c71b40866e4e5c0508fbb0b.tar.bz2
linux-e1f5e01f4b035ced1c71b40866e4e5c0508fbb0b.zip
ima: define Kconfig IMA_APPRAISE_BOOTPARAM option
Permit enabling the different "ima_appraise=" modes (eg. log, fix) from the boot command line. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-rw-r--r--security/integrity/ima/Kconfig8
-rw-r--r--security/integrity/ima/ima_appraise.c2
2 files changed, 10 insertions, 0 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 370eb2f4dd37..8b688a26033d 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -155,6 +155,14 @@ config IMA_APPRAISE
<http://linux-ima.sourceforge.net>
If unsure, say N.
+config IMA_APPRAISE_BOOTPARAM
+ bool "ima_appraise boot parameter"
+ depends on IMA_APPRAISE
+ default y
+ help
+ This option enables the different "ima_appraise=" modes
+ (eg. fix, log) from the boot command line.
+
config IMA_TRUSTED_KEYRING
bool "Require all keys on the .ima keyring be signed (deprecated)"
depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 5d0785cfe063..ac546df73afc 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -20,12 +20,14 @@
static int __init default_appraise_setup(char *str)
{
+#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
if (strncmp(str, "off", 3) == 0)
ima_appraise = 0;
else if (strncmp(str, "log", 3) == 0)
ima_appraise = IMA_APPRAISE_LOG;
else if (strncmp(str, "fix", 3) == 0)
ima_appraise = IMA_APPRAISE_FIX;
+#endif
return 1;
}