IMA: allow reading back the current IMA policy

commit 80eae209d63ac6361c7b445f7e7e41f39c044772 upstream It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by: Petko Manolov <petkan@mip-labs.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Petko Manolov <petkan@mip-labs.com> 2015-12-02 17:47:56 +0200
committer: Oleksandr Suvorov <oleksandr.suvorov@toradex.com> 2020-05-25 13:57:21 +0300
commit: 11485a13d38000c64471bdf6338536be52b761f9 (patch)
tree: 19f8e7d5f5bdae494368a6b1eeafe8d5b2e8d62f /security/integrity/ima/Kconfig
parent: 72d6cdc59c00405719b62eb3dedf0def2b6e028e (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index b13068d54343..1d4dbae64f8c 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -119,6 +119,16 @@ config IMA_WRITE_POLICY
 
 	  If unsure, say N.
 
+config IMA_READ_POLICY
+	bool "Enable reading back the current IMA policy"
+	depends on IMA
+	default y if IMA_WRITE_POLICY
+	default n if !IMA_WRITE_POLICY
+	help
+	   It is often useful to be able to read back the IMA policy.  It is
+	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
+	   This option allows the root user to see the current policy rules.
+
 config IMA_APPRAISE
 	bool "Appraise integrity measurements"
 	depends on IMA
author	Petko Manolov <petkan@mip-labs.com>	2015-12-02 17:47:56 +0200
committer	Oleksandr Suvorov <oleksandr.suvorov@toradex.com>	2020-05-25 13:57:21 +0300
commit	11485a13d38000c64471bdf6338536be52b761f9 (patch)
tree	19f8e7d5f5bdae494368a6b1eeafe8d5b2e8d62f /security/integrity/ima/Kconfig
parent	72d6cdc59c00405719b62eb3dedf0def2b6e028e (diff)