Hi Mimi, > Hi Petr, > On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote: > > Signed-off-by: Petr Vorel <pvorel@xxxxxxx> > Except for the "dont_measure <tmpfs>" rule, the "dont_measure" rules are for > pseudo filesystems. Including a "dont_measure <tmpfs>" policy rule was suppose > to be limited to the initramfs, and then replaced with an IMA custom policy. I > would either re-order the rules so that the "dont_measure" rules are only before > the two "func=FILE_CHECK" rules or perhaps remove the "dont_measure <tmpfs>" > policy rule. The kernel builtin "tcb" policy should be updated as described > below. > > --- > > .../ima/datafiles/ima_measurements/tcb.policy | 20 +++++++++++++++++++ > > 1 file changed, 20 insertions(+) > > create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy > > diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy > > new file mode 100644 > > index 0000000000..280e6af87c > > --- /dev/null > > +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy > > @@ -0,0 +1,20 @@ > > +dont_measure fsmagic=0x9fa0 > > +dont_measure fsmagic=0x62656572 > > +dont_measure fsmagic=0x64626720 > > +dont_measure fsmagic=0x1021994 > > +dont_measure fsmagic=0x1cd1 > > +dont_measure fsmagic=0x42494e4d > > +dont_measure fsmagic=0x73636673 > > +dont_measure fsmagic=0xf97cff8c > > +dont_measure fsmagic=0x43415d53 > > +dont_measure fsmagic=0x27e0eb > > +dont_measure fsmagic=0x63677270 > > +dont_measure fsmagic=0x6e736673 > > +dont_measure fsmagic=0xde5e81e4 > Limit the affect of "dont_measure" rules to just the "func=FILE_CHECK" rules, by > moving them to before the "func=FILE_CHECK" rules. > > +measure func=MMAP_CHECK mask=MAY_EXEC > > +measure func=BPRM_CHECK mask=MAY_EXEC > > +measure func=FILE_CHECK mask=^MAY_READ euid=0 > > +measure func=FILE_CHECK mask=^MAY_READ uid=0 > Move above two "func=FILE_CHECK" rules to the end. > > +measure func=MODULE_CHECK > > +measure func=FIRMWARE_CHECK > > +measure func=POLICY_CHECK Thanks for your comments. You probably mean ima_policy=tcb from [1], right? dont_measure fsmagic=0x9fa0 # PROC_SUPER_MAGIC dont_measure fsmagic=0x62656572 # SYSFS_MAGIC dont_measure fsmagic=0x64626720 # DEBUGFS_MAGIC dont_measure fsmagic=0x1021994 # TMPFS_MAGIC dont_measure fsmagic=0x1cd1 # DEVPTS_SUPER_MAGIC dont_measure fsmagic=0x42494e4d # BINFMTFS_MAGIC dont_measure fsmagic=0x73636673 # SECURITYFS_MAGIC dont_measure fsmagic=0xf97cff8c # SELINUX_MAGIC dont_measure fsmagic=0x43415d53 # SMACK_MAGIC dont_measure fsmagic=0x27e0eb # CGROUP_SUPER_MAGIC dont_measure fsmagic=0x63677270 # CGROUP2_SUPER_MAGIC dont_measure fsmagic=0x6e736673 # NSFS_MAGIC dont_measure fsmagic=0xde5e81e4 # EFIVARFS_MAGIC measure func=MMAP_CHECK mask=MAY_EXEC measure func=BPRM_CHECK mask=MAY_EXEC # binary executed measure func=FILE_CHECK mask=^MAY_READ euid=0 measure func=FILE_CHECK mask=^MAY_READ uid=0 # root opened r/o, r/w measure func=MODULE_CHECK measure func=FIRMWARE_CHECK measure func=POLICY_CHECK without: dont_measure fsmagic=0x1021994 # TMPFS_MAGIC (I would remove the comments from final policy file) Or if not, feel free to send a patch with optimal policy. Kind regards, Petr [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb > thanks, > Mimi
