IMA: allow reading back the current IMA policy It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by: Petko Manolov <petkan@mip-labs.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

commit: 80eae209d63ac6361c7b445f7e7e41f39c044772 [log] [tgz]
author: Petko Manolov <petkan@mip-labs.com> Wed Dec 02 17:47:56 2015 +0200
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> Tue Dec 15 10:01:43 2015 -0500
tree: db99b638e2688529f6f61756ffae56b64a95311b
parent: 41c89b64d7184a780f12f2cccdabe65cb2408893 [diff] [blame]
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 8d5e6e0e..e54a8a8 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig

@@ -118,6 +118,16 @@
 
 	  If unsure, say N.
 
+config IMA_READ_POLICY
+	bool "Enable reading back the current IMA policy"
+	depends on IMA
+	default y if IMA_WRITE_POLICY
+	default n if !IMA_WRITE_POLICY
+	help
+	   It is often useful to be able to read back the IMA policy.  It is
+	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
+	   This option allows the root user to see the current policy rules.
+
 config IMA_APPRAISE
 	bool "Appraise integrity measurements"
 	depends on IMA
commit	80eae209d63ac6361c7b445f7e7e41f39c044772	[log] [tgz]
author	Petko Manolov <petkan@mip-labs.com>	Wed Dec 02 17:47:56 2015 +0200
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	Tue Dec 15 10:01:43 2015 -0500
tree	db99b638e2688529f6f61756ffae56b64a95311b
parent	41c89b64d7184a780f12f2cccdabe65cb2408893 [diff] [blame]