From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org
Subject: Re: [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule
Date: Tue, 31 Dec 2024 10:33:18 +0100 [thread overview]
Message-ID: <20241231093318.GA36475@pevik> (raw)
In-Reply-To: <20241230142333.1309623-2-zohar@linux.ibm.com>
Hi Mimi,
> With a custom policy similar to the builtin IMA 'tcb' policy [1], arch
> specific policy, and a kexec boot command line measurement policy rule,
> the kexec boot command line is not measured due to the dont_measure
> tmpfs rule.
> Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the
> "func=FILE_CHECK" hook. Depending on the end users security threat
> model, a custom policy might not even include this dont_measure tmpfs
> rule.
> Note: as a result of this policy rule change, other measurements might
> also be included in the IMA-measurement list that previously weren't
> included.
LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
> [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> security/integrity/ima/ima_policy.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 21a8e54c383f..23bbe2c405f0 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
> {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
> {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
> {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
> - {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
> + {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK,
> + .flags = IMA_FSMAGIC | IMA_FUNC},
> {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
> {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
> {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
next prev parent reply other threads:[~2024-12-31 9:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-30 14:23 [PATCH] ima: ignore suffixed policy rule comments Mimi Zohar
2024-12-30 14:23 ` [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule Mimi Zohar
2024-12-31 9:33 ` Petr Vorel [this message]
2025-01-15 10:09 ` Roberto Sassu
2024-12-31 7:28 ` [PATCH] ima: ignore suffixed policy rule comments Petr Vorel
2025-01-03 13:24 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241231093318.GA36475@pevik \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.