| Message ID | 20250203210233.1407530-1-pvorel@suse.cz (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | IMA: measure.policy: limit dont_measure tmpfs policy to func=FILE_CHECK | expand |
On Mon, 2025-02-03 at 22:02 +0100, Petr Vorel wrote: > add func=FILE_CHECK to dont_measure tmpfs > > Similarly to tcb.policy limit dont_measure tmpfs policy to func=FILE_CHECK. > This allows to do extra measurements, e.g. kexec boot command line, see > kernel commit > > 7eef7c8bac9a ("ima: limit the builtin 'tcb' dont_measure tmpfs policy rule") > > Also remove leading 0 from tmpfs magic (to match IMA docs and tcb.policy). > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Petr Vorel <pvorel@suse.cz> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > .../security/integrity/ima/datafiles/ima_policy/measure.policy | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git > a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy > b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy > index 9976ddf2de..8abd05fb1a 100644 > --- a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy > +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy > @@ -8,7 +8,7 @@ dont_measure fsmagic=0x62656572 > # DEBUGFS_MAGIC > dont_measure fsmagic=0x64626720 > # TMPFS_MAGIC > -dont_measure fsmagic=0x01021994 > +dont_measure fsmagic=0x1021994 func=FILE_CHECK > # SECURITYFS_MAGIC > dont_measure fsmagic=0x73636673 > measure func=FILE_MMAP mask=MAY_EXEC
Hi Mimi, > On Mon, 2025-02-03 at 22:02 +0100, Petr Vorel wrote: > > add func=FILE_CHECK to dont_measure tmpfs > > Similarly to tcb.policy limit dont_measure tmpfs policy to func=FILE_CHECK. > > This allows to do extra measurements, e.g. kexec boot command line, see > > kernel commit > > 7eef7c8bac9a ("ima: limit the builtin 'tcb' dont_measure tmpfs policy rule") > > Also remove leading 0 from tmpfs magic (to match IMA docs and tcb.policy). > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > > Signed-off-by: Petr Vorel <pvorel@suse.cz> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Thanks, also this one merged. Kind regards, Petr > > --- > > .../security/integrity/ima/datafiles/ima_policy/measure.policy | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git > > a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy > > b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy > > index 9976ddf2de..8abd05fb1a 100644 > > --- a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy > > +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy > > @@ -8,7 +8,7 @@ dont_measure fsmagic=0x62656572 > > # DEBUGFS_MAGIC > > dont_measure fsmagic=0x64626720 > > # TMPFS_MAGIC > > -dont_measure fsmagic=0x01021994 > > +dont_measure fsmagic=0x1021994 func=FILE_CHECK > > # SECURITYFS_MAGIC > > dont_measure fsmagic=0x73636673 > > measure func=FILE_MMAP mask=MAY_EXEC
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy index 9976ddf2de..8abd05fb1a 100644 --- a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy @@ -8,7 +8,7 @@ dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 # TMPFS_MAGIC -dont_measure fsmagic=0x01021994 +dont_measure fsmagic=0x1021994 func=FILE_CHECK # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 measure func=FILE_MMAP mask=MAY_EXEC
add func=FILE_CHECK to dont_measure tmpfs Similarly to tcb.policy limit dont_measure tmpfs policy to func=FILE_CHECK. This allows to do extra measurements, e.g. kexec boot command line, see kernel commit 7eef7c8bac9a ("ima: limit the builtin 'tcb' dont_measure tmpfs policy rule") Also remove leading 0 from tmpfs magic (to match IMA docs and tcb.policy). Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Petr Vorel <pvorel@suse.cz> --- .../security/integrity/ima/datafiles/ima_policy/measure.policy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)