• Dmitry Kasatkin's avatar
    ima: add policy support for file system uuid · 85865c1f
    Dmitry Kasatkin authored
    The IMA policy permits specifying rules to enable or disable
    measurement/appraisal/audit based on the file system magic number.
    If, for example, the policy contains an ext4 measurement rule,
    the rule is enabled for all ext4 partitions.
    
    Sometimes it might be necessary to enable measurement/appraisal/audit
    only for one partition and disable it for another partition of the
    same type.  With the existing IMA policy syntax, this can not be done.
    
    This patch provides support for IMA policy rules to specify the file
    system by its UUID (eg. fsuuid=397449cd-687d-4145-8698-7fed4a3e0363).
    
    For partitions not being appraised, it might be a good idea to mount
    file systems with the 'noexec' option to prevent executing non-verified
    binaries.
    Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    85865c1f
ima_policy.c 18.4 KB