ima: skip measurement of cgroupfs files and update documentation

commit 6438de9f3fb5180d78a0422695d0b88c687757d3 upstream.

This patch adds a rule in the default measurement policy to skip inodes
in the cgroupfs filesystem. Measurements for this filesystem can be
avoided, as all the digests collected have the same value of the digest of
an empty file.

Furthermore, this patch updates the documentation of IMA policies in
Documentation/ABI/testing/ima_policy to make it consistent with
the policies set in security/integrity/ima/ima_policy.c.

Signed-off-by: Roberto Sassu <rsassu@suse.de>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index d0d0c578324c7437324d5a23f1536cc1f0f2a08d..232e174aa5de56460caff8ca54feada83e0599b9 100644 (file)
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -49,11 +49,22 @@ Description:
                        dont_measure fsmagic=0x01021994
                        dont_appraise fsmagic=0x01021994
                        # RAMFS_MAGIC
-                       dont_measure fsmagic=0x858458f6
                        dont_appraise fsmagic=0x858458f6
+                       # DEVPTS_SUPER_MAGIC
+                       dont_measure fsmagic=0x1cd1
+                       dont_appraise fsmagic=0x1cd1
+                       # BINFMTFS_MAGIC
+                       dont_measure fsmagic=0x42494e4d
+                       dont_appraise fsmagic=0x42494e4d
                        # SECURITYFS_MAGIC
                        dont_measure fsmagic=0x73636673
                        dont_appraise fsmagic=0x73636673
+                       # SELINUX_MAGIC
+                       dont_measure fsmagic=0xf97cff8c
+                       dont_appraise fsmagic=0xf97cff8c
+                       # CGROUP_SUPER_MAGIC
+                       dont_measure fsmagic=0x27e0eb
+                       dont_appraise fsmagic=0x27e0eb
 
                        measure func=BPRM_CHECK
                        measure func=FILE_MMAP mask=MAY_EXEC
@@ -70,10 +81,6 @@ Description:
                Examples of LSM specific definitions:
 
                SELinux:
-                       # SELINUX_MAGIC
-                       dont_measure fsmagic=0xf97cff8c
-                       dont_appraise fsmagic=0xf97cff8c
-
                        dont_measure obj_type=var_log_t
                        dont_appraise obj_type=var_log_t
                        dont_measure obj_type=auditd_log_t

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d1eefb9d65fb2bb457c280103ed9913fc4ade255..b17f26fa727a4b5270ba02fccbde5dd7b93ad337 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -79,6 +79,8 @@ static struct ima_rule_entry default_rules[] = {
        {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
+       {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
+        .flags = IMA_FSMAGIC},
        {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
         .flags = IMA_FUNC | IMA_MASK},
        {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,