ima: add dont_audit action to suppress audit actions

"measure", "appraise" and "hash" actions all have corresponding "dont_*"
actions, but "audit" currently lacks that. This means it is not
currently possible to have a policy that audits everything by default,
but excludes specific cases.

This seems to have been an oversight back when the "audit" action was
added.

Add a corresponding "dont_audit" action to enable such uses.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index c2385183826cbb004291b72379515e544e2c069c..5d548dd2c6e7cd67a777ea36d5d2ed72b91f34ed 100644 (file)
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -20,7 +20,7 @@ Description:
                  rule format: action [condition ...]
 
                  action: measure | dont_measure | appraise | dont_appraise |
-                         audit | hash | dont_hash
+                         audit | dont_audit | hash | dont_hash
                  condition:= base | lsm  [option]
                        base:   [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
                                [uid=] [euid=] [gid=] [egid=]

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 128fab8979308ac7e5489f21ebf550b22b264d61..c5bad3a0c43a9d8e34b90cb7cc37c5d6294dc933 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -45,6 +45,7 @@
 #define APPRAISE       0x0004  /* same as IMA_APPRAISE */
 #define DONT_APPRAISE  0x0008
 #define AUDIT          0x0040
+#define DONT_AUDIT     0x0080
 #define HASH           0x0100
 #define DONT_HASH      0x0200
 
@@ -1064,7 +1065,7 @@ void ima_update_policy(void)
 enum policy_opt {
        Opt_measure, Opt_dont_measure,
        Opt_appraise, Opt_dont_appraise,
-       Opt_audit, Opt_hash, Opt_dont_hash,
+       Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash,
        Opt_obj_user, Opt_obj_role, Opt_obj_type,
        Opt_subj_user, Opt_subj_role, Opt_subj_type,
        Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid,
@@ -1086,6 +1087,7 @@ static const match_table_t policy_tokens = {
        {Opt_appraise, "appraise"},
        {Opt_dont_appraise, "dont_appraise"},
        {Opt_audit, "audit"},
+       {Opt_dont_audit, "dont_audit"},
        {Opt_hash, "hash"},
        {Opt_dont_hash, "dont_hash"},
        {Opt_obj_user, "obj_user=%s"},
@@ -1478,6 +1480,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 
                        entry->action = AUDIT;
                        break;
+               case Opt_dont_audit:
+                       ima_log_string(ab, "action", "dont_audit");
+
+                       if (entry->action != UNKNOWN)
+                               result = -EINVAL;
+
+                       entry->action = DONT_AUDIT;
+                       break;
                case Opt_hash:
                        ima_log_string(ab, "action", "hash");
 
@@ -2097,6 +2107,8 @@ int ima_policy_show(struct seq_file *m, void *v)
                seq_puts(m, pt(Opt_dont_appraise));
        if (entry->action & AUDIT)
                seq_puts(m, pt(Opt_audit));
+       if (entry->action & DONT_AUDIT)
+               seq_puts(m, pt(Opt_dont_audit));
        if (entry->action & HASH)
                seq_puts(m, pt(Opt_hash));
        if (entry->action & DONT_HASH)