releases/4.1.4/ima-skip-measurement-of-cgroupfs-files-and-update-documentation.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 6438de9f3fb5180d78a0422695d0b88c687757d3 Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <rsassu@suse.de>
 Date: Sat, 11 Apr 2015 17:13:06 +0200
 Subject: ima: skip measurement of cgroupfs files and update documentation

 From: Roberto Sassu <rsassu@suse.de>

 commit 6438de9f3fb5180d78a0422695d0b88c687757d3 upstream.

 This patch adds a rule in the default measurement policy to skip inodes
 in the cgroupfs filesystem. Measurements for this filesystem can be
 avoided, as all the digests collected have the same value of the digest of
 an empty file.

 Furthermore, this patch updates the documentation of IMA policies in
 Documentation/ABI/testing/ima_policy to make it consistent with
 the policies set in security/integrity/ima/ima_policy.c.

 Signed-off-by: Roberto Sassu <rsassu@suse.de>
 Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  Documentation/ABI/testing/ima_policy |   17 ++++++++++++-----
  security/integrity/ima/ima_policy.c  |    2 ++
  2 files changed, 14 insertions(+), 5 deletions(-)

 --- a/Documentation/ABI/testing/ima_policy
 +++ b/Documentation/ABI/testing/ima_policy
 @@ -49,11 +49,22 @@ Description:
  			dont_measure fsmagic=0x01021994
  			dont_appraise fsmagic=0x01021994
  			# RAMFS_MAGIC
 -			dont_measure fsmagic=0x858458f6
  			dont_appraise fsmagic=0x858458f6
 +			# DEVPTS_SUPER_MAGIC
 +			dont_measure fsmagic=0x1cd1
 +			dont_appraise fsmagic=0x1cd1
 +			# BINFMTFS_MAGIC
 +			dont_measure fsmagic=0x42494e4d
 +			dont_appraise fsmagic=0x42494e4d
  			# SECURITYFS_MAGIC
  			dont_measure fsmagic=0x73636673
  			dont_appraise fsmagic=0x73636673
 +			# SELINUX_MAGIC
 +			dont_measure fsmagic=0xf97cff8c
 +			dont_appraise fsmagic=0xf97cff8c
 +			# CGROUP_SUPER_MAGIC
 +			dont_measure fsmagic=0x27e0eb
 +			dont_appraise fsmagic=0x27e0eb

  			measure func=BPRM_CHECK
  			measure func=FILE_MMAP mask=MAY_EXEC
 @@ -70,10 +81,6 @@ Description:
  		Examples of LSM specific definitions:

  		SELinux:
 -			# SELINUX_MAGIC
 -			dont_measure fsmagic=0xf97cff8c
 -			dont_appraise fsmagic=0xf97cff8c
 -
  			dont_measure obj_type=var_log_t
  			dont_appraise obj_type=var_log_t
  			dont_measure obj_type=auditd_log_t
 --- a/security/integrity/ima/ima_policy.c
 +++ b/security/integrity/ima/ima_policy.c
 @@ -79,6 +79,8 @@ static struct ima_rule_entry default_rul
  	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
  	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
  	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 +	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
 +	 .flags = IMA_FSMAGIC},
  	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
  	 .flags = IMA_FUNC | IMA_MASK},
  	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
	From 6438de9f3fb5180d78a0422695d0b88c687757d3 Mon Sep 17 00:00:00 2001
	From: Roberto Sassu <rsassu@suse.de>
	Date: Sat, 11 Apr 2015 17:13:06 +0200
	Subject: ima: skip measurement of cgroupfs files and update documentation

	From: Roberto Sassu <rsassu@suse.de>

	commit 6438de9f3fb5180d78a0422695d0b88c687757d3 upstream.

	This patch adds a rule in the default measurement policy to skip inodes
	in the cgroupfs filesystem. Measurements for this filesystem can be
	avoided, as all the digests collected have the same value of the digest of
	an empty file.

	Furthermore, this patch updates the documentation of IMA policies in
	Documentation/ABI/testing/ima_policy to make it consistent with
	the policies set in security/integrity/ima/ima_policy.c.

	Signed-off-by: Roberto Sassu <rsassu@suse.de>
	Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	Documentation/ABI/testing/ima_policy \| 17 ++++++++++++-----
	security/integrity/ima/ima_policy.c \| 2 ++
	2 files changed, 14 insertions(+), 5 deletions(-)

	--- a/Documentation/ABI/testing/ima_policy
	+++ b/Documentation/ABI/testing/ima_policy
	@@ -49,11 +49,22 @@ Description:
	dont_measure fsmagic=0x01021994
	dont_appraise fsmagic=0x01021994
	# RAMFS_MAGIC
	- dont_measure fsmagic=0x858458f6
	dont_appraise fsmagic=0x858458f6
	+ # DEVPTS_SUPER_MAGIC
	+ dont_measure fsmagic=0x1cd1
	+ dont_appraise fsmagic=0x1cd1
	+ # BINFMTFS_MAGIC
	+ dont_measure fsmagic=0x42494e4d
	+ dont_appraise fsmagic=0x42494e4d
	# SECURITYFS_MAGIC
	dont_measure fsmagic=0x73636673
	dont_appraise fsmagic=0x73636673
	+ # SELINUX_MAGIC
	+ dont_measure fsmagic=0xf97cff8c
	+ dont_appraise fsmagic=0xf97cff8c
	+ # CGROUP_SUPER_MAGIC
	+ dont_measure fsmagic=0x27e0eb
	+ dont_appraise fsmagic=0x27e0eb

	measure func=BPRM_CHECK
	measure func=FILE_MMAP mask=MAY_EXEC
	@@ -70,10 +81,6 @@ Description:
	Examples of LSM specific definitions:

	SELinux:
	- # SELINUX_MAGIC
	- dont_measure fsmagic=0xf97cff8c
	- dont_appraise fsmagic=0xf97cff8c
	-
	dont_measure obj_type=var_log_t
	dont_appraise obj_type=var_log_t
	dont_measure obj_type=auditd_log_t
	--- a/security/integrity/ima/ima_policy.c
	+++ b/security/integrity/ima/ima_policy.c
	@@ -79,6 +79,8 @@ static struct ima_rule_entry default_rul
	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
	+ {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
	+ .flags = IMA_FSMAGIC},
	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
	.flags = IMA_FUNC \| IMA_MASK},
	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,