[PATCH] IMA: measure.policy: limit dont_measure tmpfs policy to func=FILE_CHECK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

add func=FILE_CHECK to dont_measure tmpfs

Similarly to tcb.policy limit dont_measure tmpfs policy to func=FILE_CHECK.
This allows to do extra measurements, e.g. kexec boot command line, see
kernel commit

7eef7c8bac9a ("ima: limit the builtin 'tcb' dont_measure tmpfs policy rule")

Also remove leading 0 from tmpfs magic (to match IMA docs and tcb.policy).

Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Signed-off-by: Petr Vorel <pvorel@xxxxxxx>
---
 .../security/integrity/ima/datafiles/ima_policy/measure.policy  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
index 9976ddf2de..8abd05fb1a 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
@@ -8,7 +8,7 @@ dont_measure fsmagic=0x62656572
 # DEBUGFS_MAGIC
 dont_measure fsmagic=0x64626720
 # TMPFS_MAGIC
-dont_measure fsmagic=0x01021994
+dont_measure fsmagic=0x1021994 func=FILE_CHECK
 # SECURITYFS_MAGIC
 dont_measure fsmagic=0x73636673
 measure func=FILE_MMAP mask=MAY_EXEC
-- 
2.47.2
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux