ima: define Kconfig IMA_APPRAISE_BOOTPARAM option

Permit enabling the different "ima_appraise=" modes (eg. log, fix)
from the boot command line.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 370eb2f4dd379f7cf0708f17306f5a98c721443b..8b688a26033d80903051409387bccd0cceca4657 100644 (file)
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -155,6 +155,14 @@ config IMA_APPRAISE
          <http://linux-ima.sourceforge.net>
          If unsure, say N.
 
+config IMA_APPRAISE_BOOTPARAM
+       bool "ima_appraise boot parameter"
+       depends on IMA_APPRAISE
+       default y
+       help
+         This option enables the different "ima_appraise=" modes
+         (eg. fix, log) from the boot command line.
+
 config IMA_TRUSTED_KEYRING
        bool "Require all keys on the .ima keyring be signed (deprecated)"
        depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 5d0785cfe06387f65a53f84f2832007d77a7932c..ac546df73afc84239518e3eb2a4c1b93631e5a59 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -20,12 +20,14 @@
 
 static int __init default_appraise_setup(char *str)
 {
+#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
        if (strncmp(str, "off", 3) == 0)
                ima_appraise = 0;
        else if (strncmp(str, "log", 3) == 0)
                ima_appraise = IMA_APPRAISE_LOG;
        else if (strncmp(str, "fix", 3) == 0)
                ima_appraise = IMA_APPRAISE_FIX;
+#endif
        return 1;
 }