Hi Mimi,
> On Mon, 2025-02-03 at 22:02 +0100, Petr Vorel wrote:
> > add func=FILE_CHECK to dont_measure tmpfs
> > Similarly to tcb.policy limit dont_measure tmpfs policy to func=FILE_CHECK.
> > This allows to do extra measurements, e.g. kexec boot command line, see
> > kernel commit
> > 7eef7c8bac9a ("ima: limit the builtin 'tcb' dont_measure tmpfs policy rule")
> > Also remove leading 0 from tmpfs magic (to match IMA docs and tcb.policy).
> > Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> > Signed-off-by: Petr Vorel <pvorel@xxxxxxx>
> Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Thanks, also this one merged.
Kind regards,
Petr
> > ---
> > .../security/integrity/ima/datafiles/ima_policy/measure.policy | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> > diff --git
> > a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
> > b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
> > index 9976ddf2de..8abd05fb1a 100644
> > --- a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
> > +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
> > @@ -8,7 +8,7 @@ dont_measure fsmagic=0x62656572
> > # DEBUGFS_MAGIC
> > dont_measure fsmagic=0x64626720
> > # TMPFS_MAGIC
> > -dont_measure fsmagic=0x01021994
> > +dont_measure fsmagic=0x1021994 func=FILE_CHECK
> > # SECURITYFS_MAGIC
> > dont_measure fsmagic=0x73636673
> > measure func=FILE_MMAP mask=MAY_EXEC
