| Message ID | 20241230142333.1309623-2-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ima: limit the builtin 'tcb' dont_measure tmpfs policy rule | expand |
Hi Mimi, > With a custom policy similar to the builtin IMA 'tcb' policy [1], arch > specific policy, and a kexec boot command line measurement policy rule, > the kexec boot command line is not measured due to the dont_measure > tmpfs rule. > Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the > "func=FILE_CHECK" hook. Depending on the end users security threat > model, a custom policy might not even include this dont_measure tmpfs > rule. > Note: as a result of this policy rule change, other measurements might > also be included in the IMA-measurement list that previously weren't > included. LGTM. Reviewed-by: Petr Vorel <pvorel@suse.cz> Kind regards, Petr > [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima_policy.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 21a8e54c383f..23bbe2c405f0 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { > {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, > - {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, > + {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK, > + .flags = IMA_FSMAGIC | IMA_FUNC}, > {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 21a8e54c383f..23bbe2c405f0 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, - {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK, + .flags = IMA_FSMAGIC | IMA_FUNC}, {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
With a custom policy similar to the builtin IMA 'tcb' policy [1], arch specific policy, and a kexec boot command line measurement policy rule, the kexec boot command line is not measured due to the dont_measure tmpfs rule. Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the "func=FILE_CHECK" hook. Depending on the end users security threat model, a custom policy might not even include this dont_measure tmpfs rule. Note: as a result of this policy rule change, other measurements might also be included in the IMA-measurement list that previously weren't included. [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/ima/ima_policy.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)