From 7eef7c8bac9a31f12ae19369582bc25971bc8fe1 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 26 Dec 2024 21:27:42 -0500 Subject: [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule With a custom policy similar to the builtin IMA 'tcb' policy [1], arch specific policy, and a kexec boot command line measurement policy rule, the kexec boot command line is not measured due to the dont_measure tmpfs rule. Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the "func=FILE_CHECK" hook. Depending on the end users security threat model, a custom policy might not even include this dont_measure tmpfs rule. Note: as a result of this policy rule change, other measurements might also be included in the IMA-measurement list that previously weren't included. [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb Reviewed-by: Petr Vorel Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 21a8e54c383f..23bbe2c405f0 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, - {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK, + .flags = IMA_FSMAGIC | IMA_FUNC}, {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, -- 2.50.1