aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2019-05-25 23:12:35 -0700
committerArmin Kuster <akuster808@gmail.com>2019-05-28 07:38:52 -0700
commitd1d4e78708d955d3779fb8ae7c3a531bbfb55050 (patch)
tree91b58d3200d46ba464eff53217568be838598c64
parentcf0123e130696048feb8ddb1b21b214d222bf582 (diff)
downloadmeta-security-d1d4e78708d955d3779fb8ae7c3a531bbfb55050.tar.gz
meta-security-d1d4e78708d955d3779fb8ae7c3a531bbfb55050.tar.bz2
meta-security-d1d4e78708d955d3779fb8ae7c3a531bbfb55050.zip
data: remove policies
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-integrity/data/ima_policy_appraise_all29
-rw-r--r--meta-integrity/data/ima_policy_hashed77
-rw-r--r--meta-integrity/data/ima_policy_simple4
3 files changed, 0 insertions, 110 deletions
diff --git a/meta-integrity/data/ima_policy_appraise_all b/meta-integrity/data/ima_policy_appraise_all
deleted file mode 100644
index 36e71a7..0000000
--- a/meta-integrity/data/ima_policy_appraise_all
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
-#
-# Do not measure anything, but appraise everything
-#
-# PROC_SUPER_MAGIC
-dont_appraise fsmagic=0x9fa0
-# SYSFS_MAGIC
-dont_appraise fsmagic=0x62656572
-# DEBUGFS_MAGIC
-dont_appraise fsmagic=0x64626720
-# TMPFS_MAGIC
-dont_appraise fsmagic=0x01021994
-# RAMFS_MAGIC
-dont_appraise fsmagic=0x858458f6
-# DEVPTS_SUPER_MAGIC
-dont_appraise fsmagic=0x1cd1
-# BIFMT
-dont_appraise fsmagic=0x42494e4d
-# SECURITYFS_MAGIC
-dont_appraise fsmagic=0x73636673
-# SELINUXFS_MAGIC
-dont_appraise fsmagic=0xf97cff8c
-# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
-dont_appraise fsmagic=0x6e736673
-# EFIVARFS_MAGIC
-dont_appraise fsmagic=0xde5e81e4
-
-appraise
diff --git a/meta-integrity/data/ima_policy_hashed b/meta-integrity/data/ima_policy_hashed
deleted file mode 100644
index 7f89c8d..0000000
--- a/meta-integrity/data/ima_policy_hashed
+++ /dev/null
@@ -1,77 +0,0 @@
-# With this policy, all files on regular partitions are
-# appraised. Files with signed IMA hash and normal hash are
-# accepted. Signed files cannot be modified while hashed files can be
-# (which will also update the hash). However, signed files can
-# be deleted, so in practice it is still possible to replace them
-# with a modified version.
-#
-# Without EVM, this is obviously not very secure, so this policy is
-# just an example and/or basis for further improvements. For that
-# purpose, some comments show what could be added to make the policy
-# more secure.
-#
-# With EVM the situation might be different because access
-# to the EVM key can be restricted.
-#
-# Files which are appraised are also measured. This allows
-# debugging whether a file is in policy by looking at
-# /sys/kernel/security/ima/ascii_runtime_measurements
-
-# PROC_SUPER_MAGIC
-dont_appraise fsmagic=0x9fa0
-dont_measure fsmagic=0x9fa0
-# SYSFS_MAGIC
-dont_appraise fsmagic=0x62656572
-dont_measure fsmagic=0x62656572
-# DEBUGFS_MAGIC
-dont_appraise fsmagic=0x64626720
-dont_measure fsmagic=0x64626720
-# TMPFS_MAGIC
-dont_appraise fsmagic=0x01021994
-dont_measure fsmagic=0x01021994
-# RAMFS_MAGIC
-dont_appraise fsmagic=0x858458f6
-dont_measure fsmagic=0x858458f6
-# DEVPTS_SUPER_MAGIC
-dont_appraise fsmagic=0x1cd1
-dont_measure fsmagic=0x1cd1
-# BIFMT
-dont_appraise fsmagic=0x42494e4d
-dont_measure fsmagic=0x42494e4d
-# SECURITYFS_MAGIC
-dont_appraise fsmagic=0x73636673
-dont_measure fsmagic=0x73636673
-# SELINUXFS_MAGIC
-dont_appraise fsmagic=0xf97cff8c
-dont_measure fsmagic=0xf97cff8c
-# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
-dont_appraise fsmagic=0x6e736673
-dont_measure fsmagic=0x6e736673
-# SMACK_MAGIC
-dont_appraise fsmagic=0x43415d53
-dont_measure fsmagic=0x43415d53
-# CGROUP_SUPER_MAGIC
-dont_appraise fsmagic=0x27e0eb
-dont_measure fsmagic=0x27e0eb
-# EFIVARFS_MAGIC
-dont_appraise fsmagic=0xde5e81e4
-dont_measure fsmagic=0xde5e81e4
-
-# Special partition, no checking done.
-# dont_measure fsuuid=a11234...
-# dont_appraise fsuuid=a11243...
-
-# Special immutable group.
-# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200
-
-# All executables must be signed - too strict, we need to
-# allow installing executables on the device.
-# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
-# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC
-
-# Default rule. Would be needed also when other rules were added that
-# determine what to do in case of reading (mask=MAY_READ or
-# mask=MAY_EXEC) because otherwise writing does not update the file
-# hash.
-appraise
-measure
diff --git a/meta-integrity/data/ima_policy_simple b/meta-integrity/data/ima_policy_simple
deleted file mode 100644
index 38ca8f5..0000000
--- a/meta-integrity/data/ima_policy_simple
+++ /dev/null
@@ -1,4 +0,0 @@
-# Very simple policy demonstrating the systemd policy loading bug
-# (policy with one line works, two lines don't).
-dont_appraise fsmagic=0x9fa0
-dont_appraise fsmagic=0x62656572