Re: [PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Petr,

On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote:
> Taken from IMA docs [1], removed dont_measure fsmagic=0x1021994 (tmpfs)
> as suggested by Mimi.
> 
> [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb
> 
> Signed-off-by: Petr Vorel <pvorel@xxxxxxx>

After thinking about it some more, anyone interested in constraining the
"measure func=FILE_CHECK" rules based on LSM labels to avoid integrity
violations would need to reboot the system anyway. [1]

For this reason, please include the new dont_measure tmpfs rule as proposed in
"[PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule". [2]

[1] Integrity violations -
https://ima-doc.readthedocs.io/en/latest/event-log-format.html#template-data-hash

[2]
https://lore.kernel.org/linux-integrity/20241230142333.1309623-2-zohar@xxxxxxxxxxxxx/

thanks,

Mimi

> ---
> I would like to check in ima_measurements.sh for this policy as an
> variant to ima_policy=tcb command line parameter. Do I need to check for
> all of these (suppose all are in ima_policy=tcb).
> 
>  .../ima/datafiles/ima_measurements/tcb.policy | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
>  create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> 
> diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> new file mode 100644
> index 0000000000..1c919f7260
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> @@ -0,0 +1,19 @@
> +dont_measure fsmagic=0x9fa0
> +dont_measure fsmagic=0x62656572
> +dont_measure fsmagic=0x64626720
> +dont_measure fsmagic=0x1cd1
> +dont_measure fsmagic=0x42494e4d
> +dont_measure fsmagic=0x73636673
> +dont_measure fsmagic=0xf97cff8c
> +dont_measure fsmagic=0x43415d53
> +dont_measure fsmagic=0x27e0eb
> +dont_measure fsmagic=0x63677270
> +dont_measure fsmagic=0x6e736673
> +dont_measure fsmagic=0xde5e81e4
> +measure func=MMAP_CHECK mask=MAY_EXEC
> +measure func=BPRM_CHECK mask=MAY_EXEC
> +measure func=FILE_CHECK mask=^MAY_READ euid=0
> +measure func=FILE_CHECK mask=^MAY_READ uid=0
> +measure func=MODULE_CHECK
> +measure func=FIRMWARE_CHECK
> +measure func=POLICY_CHECK
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux