From: Armin Kuster <akuster808@gmail.com>
To: yocto@yoctoproject.org
Subject: [meta-security][PATCH 10/14] policy: add ima appraise all policy
Date: Sun, 26 May 2019 21:56:37 -0700 [thread overview]
Message-ID: <20190527045641.18884-11-akuster808@gmail.com> (raw)
In-Reply-To: <20190527045641.18884-1-akuster808@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../files/ima_policy_appraise_all | 29 +++++++++++++++++++
.../ima-policy-appraise-all_1.0.bb | 18 ++++++++++++
2 files changed, 47 insertions(+)
create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
new file mode 100644
index 0000000..36e71a7
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -0,0 +1,29 @@
+#
+# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
+#
+# Do not measure anything, but appraise everything
+#
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+# BIFMT
+dont_appraise fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+# SELINUXFS_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
+dont_appraise fsmagic=0x6e736673
+# EFIVARFS_MAGIC
+dont_appraise fsmagic=0xde5e81e4
+
+appraise
diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
new file mode 100644
index 0000000..b58d3fe
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "IMA sample simple appraise policy "
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_appraise_all"
+
+SRC_URI = " file://${IMA_POLICY}"
+
+do_install () {
+ install -d ${D}/${sysconfdir}/ima
+ install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
+}
+
+FILES_${PN} = "${sysconfdir}/ima"
+RDEPENDS_${PN} = "ima-evm-utils"
--
2.17.1
next prev parent reply other threads:[~2019-05-27 4:56 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-27 4:56 [meta-security][PATCH 00/14] Port over meta-integrity Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 01/14] meta-integrity: port over from meta-intel-iot-security Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 02/14] layer.conf: add LAYERSERIES_COMPAT Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 03/14] README: update Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 04/14] ima-evm-utils: cleanup and update to tip Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 05/14] ima.cfg: update to 5.0 kernel Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 06/14] linux: update bbappend Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 07/14] base-files: add appending to automount securityfs Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 08/14] ima-policy-hashed: add new recipe Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 09/14] ima_policy_simple: add another sample policy Armin Kuster
2019-05-27 4:56 ` Armin Kuster [this message]
2019-05-27 4:56 ` [meta-security][PATCH 11/14] data: remove policies Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 12/14] initramfs: clean up to pull in packages Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 13/14] runtime qa: moderize ima test Armin Kuster
2019-05-27 4:56 ` [meta-security][PATCH 14/14] image: add image for testing Armin Kuster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190527045641.18884-11-akuster808@gmail.com \
--to=akuster808@gmail.com \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.