This patch provides kernel parameter 'ima=off' that disables IMA.
This will reduce memory consumption by the ima when it is not needed.
Specifically, this saves one pointer per inode in the system.
Originally-by: Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx>
Signed-off-by: Song Liu <song@xxxxxxxxxx>
---
security/integrity/ima/ima_main.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 06132cf47016..21968c78f03f 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1144,10 +1144,22 @@ static int ima_kernel_module_request(char *kmod_name)
#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */
+
+static int ima_mode = 1;
+static int __init ima_setup(char *str)
+{
+ if (strncmp(str, "off", 3) == 0)
+ ima_mode = 0;
+ return 1;
+}
+__setup("ima=", ima_setup);
+
static int __init init_ima(void)
{
int error;
+ if (!ima_mode)
+ return 0;
ima_appraise_parse_cmdline();
ima_init_template_list();
hash_setup(CONFIG_IMA_DEFAULT_HASH);
@@ -1217,6 +1229,7 @@ DEFINE_LSM(ima) = {
.name = "ima",
.init = init_ima_lsm,
.order = LSM_ORDER_LAST,
+ .enabled = &ima_mode,
.blobs = &ima_blob_sizes,
};
--
2.43.5
