From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: ltp@lists.linux.it, linux-integrity@vger.kernel.org
Subject: Re: [PATCH 1/3] ima: Add TCB policy as an example
Date: Thu, 12 Dec 2024 09:55:43 +0100 [thread overview]
Message-ID: <20241212085543.GB1463264@pevik> (raw)
In-Reply-To: <007bb56c0ed893e6b53d31efee1276e7bb91a557.camel@linux.ibm.com>
Hi Mimi,
> Hi Petr,
> On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote:
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> Except for the "dont_measure <tmpfs>" rule, the "dont_measure" rules are for
> pseudo filesystems. Including a "dont_measure <tmpfs>" policy rule was suppose
> to be limited to the initramfs, and then replaced with an IMA custom policy. I
> would either re-order the rules so that the "dont_measure" rules are only before
> the two "func=FILE_CHECK" rules or perhaps remove the "dont_measure <tmpfs>"
> policy rule. The kernel builtin "tcb" policy should be updated as described
> below.
> > ---
> > .../ima/datafiles/ima_measurements/tcb.policy | 20 +++++++++++++++++++
> > 1 file changed, 20 insertions(+)
> > create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> > diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> > new file mode 100644
> > index 0000000000..280e6af87c
> > --- /dev/null
> > +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> > @@ -0,0 +1,20 @@
> > +dont_measure fsmagic=0x9fa0
> > +dont_measure fsmagic=0x62656572
> > +dont_measure fsmagic=0x64626720
> > +dont_measure fsmagic=0x1021994
> > +dont_measure fsmagic=0x1cd1
> > +dont_measure fsmagic=0x42494e4d
> > +dont_measure fsmagic=0x73636673
> > +dont_measure fsmagic=0xf97cff8c
> > +dont_measure fsmagic=0x43415d53
> > +dont_measure fsmagic=0x27e0eb
> > +dont_measure fsmagic=0x63677270
> > +dont_measure fsmagic=0x6e736673
> > +dont_measure fsmagic=0xde5e81e4
> Limit the affect of "dont_measure" rules to just the "func=FILE_CHECK" rules, by
> moving them to before the "func=FILE_CHECK" rules.
> > +measure func=MMAP_CHECK mask=MAY_EXEC
> > +measure func=BPRM_CHECK mask=MAY_EXEC
> > +measure func=FILE_CHECK mask=^MAY_READ euid=0
> > +measure func=FILE_CHECK mask=^MAY_READ uid=0
> Move above two "func=FILE_CHECK" rules to the end.
> > +measure func=MODULE_CHECK
> > +measure func=FIRMWARE_CHECK
> > +measure func=POLICY_CHECK
Thanks for your comments. You probably mean ima_policy=tcb from [1], right?
dont_measure fsmagic=0x9fa0 # PROC_SUPER_MAGIC
dont_measure fsmagic=0x62656572 # SYSFS_MAGIC
dont_measure fsmagic=0x64626720 # DEBUGFS_MAGIC
dont_measure fsmagic=0x1021994 # TMPFS_MAGIC
dont_measure fsmagic=0x1cd1 # DEVPTS_SUPER_MAGIC
dont_measure fsmagic=0x42494e4d # BINFMTFS_MAGIC
dont_measure fsmagic=0x73636673 # SECURITYFS_MAGIC
dont_measure fsmagic=0xf97cff8c # SELINUX_MAGIC
dont_measure fsmagic=0x43415d53 # SMACK_MAGIC
dont_measure fsmagic=0x27e0eb # CGROUP_SUPER_MAGIC
dont_measure fsmagic=0x63677270 # CGROUP2_SUPER_MAGIC
dont_measure fsmagic=0x6e736673 # NSFS_MAGIC
dont_measure fsmagic=0xde5e81e4 # EFIVARFS_MAGIC
measure func=MMAP_CHECK mask=MAY_EXEC
measure func=BPRM_CHECK mask=MAY_EXEC # binary executed
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0 # root opened r/o, r/w
measure func=MODULE_CHECK
measure func=FIRMWARE_CHECK
measure func=POLICY_CHECK
without: dont_measure fsmagic=0x1021994 # TMPFS_MAGIC
(I would remove the comments from final policy file)
Or if not, feel free to send a patch with optimal policy.
Kind regards,
Petr
[1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb
> thanks,
> Mimi
next prev parent reply other threads:[~2024-12-12 8:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-26 17:38 [PATCH 0/3] LTP tests: load predefined policy Petr Vorel
2024-11-26 17:38 ` [PATCH 1/3] ima: Add TCB policy as an example Petr Vorel
2024-12-11 12:26 ` Mimi Zohar
2024-12-12 8:55 ` Petr Vorel [this message]
2024-11-26 17:38 ` [PATCH 2/3] ima_setup.sh: Allow to load predefined policy Petr Vorel
2024-11-26 22:09 ` Petr Vorel
2024-12-11 12:18 ` Mimi Zohar
2024-12-11 19:48 ` Petr Vorel
2024-12-12 14:29 ` Mimi Zohar
2024-12-12 15:11 ` Petr Vorel
2024-11-26 17:38 ` [PATCH 3/3] ima_{kexec,keys,selinux}: Set minimal kernel version Petr Vorel
2024-12-11 12:36 ` Mimi Zohar
2024-12-12 8:30 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241212085543.GB1463264@pevik \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).