Hi Mimi, > With a custom policy similar to the builtin IMA 'tcb' policy [1], arch > specific policy, and a kexec boot command line measurement policy rule, > the kexec boot command line is not measured due to the dont_measure > tmpfs rule.
> Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the > "func=FILE_CHECK" hook. Depending on the end users security threat > model, a custom policy might not even include this dont_measure tmpfs > rule. > Note: as a result of this policy rule change, other measurements might > also be included in the IMA-measurement list that previously weren't > included. LGTM. Reviewed-by: Petr Vorel <[email protected]> Kind regards, Petr > [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb > Signed-off-by: Mimi Zohar <[email protected]> > --- > security/integrity/ima/ima_policy.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > diff --git a/security/integrity/ima/ima_policy.c > b/security/integrity/ima/ima_policy.c > index 21a8e54c383f..23bbe2c405f0 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] > __ro_after_init = { > {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = > IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = > IMA_FSMAGIC}, > - {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, > + {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK, > + .flags = IMA_FSMAGIC | IMA_FUNC}, > {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = > IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = > IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = > IMA_FSMAGIC},
