On Mon, 2025-02-03 at 22:02 +0100, Petr Vorel wrote:
> add func=FILE_CHECK to dont_measure tmpfs
>
> Similarly to tcb.policy limit dont_measure tmpfs policy to func=FILE_CHECK.
> This allows to do extra measurements, e.g. kexec boot command line, see
> kernel commit
>
> 7eef7c8bac9a ("ima: limit the builtin 'tcb' dont_measure tmpfs policy rule")
>
> Also remove leading 0 from tmpfs magic (to match IMA docs and tcb.policy).
>
> Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> Signed-off-by: Petr Vorel <pvorel@xxxxxxx>
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
> .../security/integrity/ima/datafiles/ima_policy/measure.policy | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git
> a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
> b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
> index 9976ddf2de..8abd05fb1a 100644
> --- a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
> +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
> @@ -8,7 +8,7 @@ dont_measure fsmagic=0x62656572
> # DEBUGFS_MAGIC
> dont_measure fsmagic=0x64626720
> # TMPFS_MAGIC
> -dont_measure fsmagic=0x01021994
> +dont_measure fsmagic=0x1021994 func=FILE_CHECK
> # SECURITYFS_MAGIC
> dont_measure fsmagic=0x73636673
> measure func=FILE_MMAP mask=MAY_EXEC
