Hi Tushar, On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote: > IMA needs to support duplicate measurements of integrity > critical data to accurately determine the current state of that data > on the system. Further, since measurement of duplicate data is not > required for all the use cases, it needs to be policy driven. > > Define "allow_dup", a new IMA policy condition, for the IMA func > CRITICAL_DATA to allow duplicate buffer measurement of integrity > critical data. > > Limit the ability to measure duplicate buffer data when action is > "measure" and func is CRITICAL_DATA. Why?! > > Signed-off-by: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx> > --- > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 9b45d064a87d..b89eb768dd05 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -35,6 +35,7 @@ > #define IMA_FSNAME 0x0200 > #define IMA_KEYRINGS 0x0400 > #define IMA_LABEL 0x0800 > +#define IMA_ALLOW_DUP 0x1000 > > #define UNKNOWN 0 > #define MEASURE 0x0001 /* same as IMA_MEASURE */ > @@ -87,6 +88,7 @@ struct ima_rule_entry { > char *fsname; > struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ > struct ima_rule_opt_list *label; /* Measure data grouped under this label */ Defining a new boolean entry shouldn't be necessary. The other boolean values are just stored in "flags". > struct ima_template_desc *template; > }; thanks, Mimi