Commit 7eef7c8b authored Dec 26, 2024 by Mimi Zohar

ima: limit the builtin 'tcb' dont_measure tmpfs policy rule

With a custom policy similar to the builtin IMA 'tcb' policy [1], arch
specific policy, and a kexec boot command line measurement policy rule,
the kexec boot command line is not measured due to the dont_measure
tmpfs rule.

Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the
"func=FILE_CHECK" hook.  Depending on the end users security threat
model, a custom policy might not even include this dont_measure tmpfs
rule.

Note: as a result of this policy rule change, other measurements might
also be included in the IMA-measurement list that previously weren't
included.

[1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb



Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

parent 68af44a7

security/integrity/ima/ima_policy.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
		{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
		{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
		{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
		{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
		{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK,
		.flags = IMA_FSMAGIC \| IMA_FUNC},
		{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
		{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
		{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},