c26e0efd3c
mwa-delphia -> stx-clients mwa-pitta -> stx-config mwa-cleo -> stx-fault mwa-gplv2 -> stx-gplv2 mwa-gplv3 -> stx-gplv3 mwa-solon -> stx-ha mwa-sparta -> stx-integ mwa-beas -> stx-metal mwa-thales -> stx-nfv mwa-chilon -> stx-update mwa-perian -> stx-upstream Edit build_srpm.data files to remove references to mwa-* directories. Substitute $STX_BASE, $GIT_BASE, $PKG_BASE as required. While editing build_srpm.data, might also move some files on the principle ... $PKG_BASE/files is for distro independednt files $PKG_BASE/centos/files is for CentOS specific files Depends-On: https://review.openstack.org/579954 Depends-On: https://review.openstack.org/579957 Change-Id: If0c3c3e9296804d76c2031595697b7a5f2825f03 Signed-off-by: Scott Little <scott.little@windriver.com>
55 lines
1.8 KiB
Diff
55 lines
1.8 KiB
Diff
From 0c83c892509e592692e5002d855ce1f3001149e5 Mon Sep 17 00:00:00 2001
|
|
From: Kam Nasim <kam.nasim@windriver.com>
|
|
Date: Fri, 22 Sep 2017 16:47:36 -0400
|
|
Subject: [PATCH] US103091: IMA: System Configuration
|
|
|
|
Since IMA does measurements on all EXT4 file systems (as per IMA
|
|
policy), we end up with a large number of measurements for log files and
|
|
the DRBD fs. Therefore we restrict IMA to only do measurements &
|
|
appraisals on file systems that have i_version set, which is only the
|
|
rootfs.
|
|
---
|
|
ima/ima_main.c | 6 +++++-
|
|
kcompat.h | 1 +
|
|
2 files changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/ima/ima_main.c b/ima/ima_main.c
|
|
index 5d6ba23..ea3ace3 100644
|
|
--- a/ima/ima_main.c
|
|
+++ b/ima/ima_main.c
|
|
@@ -22,6 +22,7 @@
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/file.h>
|
|
+#include <linux/fs.h>
|
|
#include <linux/binfmts.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/mman.h>
|
|
@@ -178,7 +179,10 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
|
|
bool violation_check;
|
|
enum hash_algo hash_algo;
|
|
|
|
- if (!ima_policy_flag || !S_ISREG(inode->i_mode))
|
|
+ /* WRS: Only do measurements & appraisals
|
|
+ * on inodes that have i_version set (i.e the rootfs)
|
|
+ */
|
|
+ if (!ima_policy_flag || !S_ISREG(inode->i_mode) || !IS_I_VERSION(inode))
|
|
return 0;
|
|
|
|
/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
|
|
diff --git a/kcompat.h b/kcompat.h
|
|
index a5445aa..59e32a8 100644
|
|
--- a/kcompat.h
|
|
+++ b/kcompat.h
|
|
@@ -19,6 +19,7 @@
|
|
#define CONFIG_IMA 1
|
|
#define CONFIG_IMA_APPRAISE_SIGNED_INIT 1
|
|
#define CONFIG_IMA_APPRAISE 1
|
|
+#define CONFIG_IMA_LSM_RULES 1
|
|
#define CONFIG_IMA_DEFAULT_HASH "sha256"
|
|
#define CONFIG_IMA_MEASURE_PCR_IDX 10
|
|
#define CONFIG_IMA_DEFAULT_TEMPLATE "ima-sig"
|
|
--
|
|
1.8.3.1
|
|
|