aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2019-05-25 23:10:33 -0700
committerArmin Kuster <akuster808@gmail.com>2019-05-28 07:38:52 -0700
commitcf0123e130696048feb8ddb1b21b214d222bf582 (patch)
tree95a42a06aca6125919726d9efe1a5ee6dbdcee42
parent1293478068e6a1b5f53d160fc7f4e06bd8c27039 (diff)
downloadmeta-security-cf0123e130696048feb8ddb1b21b214d222bf582.tar.gz
meta-security-cf0123e130696048feb8ddb1b21b214d222bf582.tar.bz2
meta-security-cf0123e130696048feb8ddb1b21b214d222bf582.zip
policy: add ima appraise all policy
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all29
-rw-r--r--meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb18
2 files changed, 47 insertions, 0 deletions
diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
new file mode 100644
index 0000000..36e71a7
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -0,0 +1,29 @@
+#
+# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
+#
+# Do not measure anything, but appraise everything
+#
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+# BIFMT
+dont_appraise fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+# SELINUXFS_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
+dont_appraise fsmagic=0x6e736673
+# EFIVARFS_MAGIC
+dont_appraise fsmagic=0xde5e81e4
+
+appraise
diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
new file mode 100644
index 0000000..b58d3fe
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "IMA sample simple appraise policy "
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_appraise_all"
+
+SRC_URI = " file://${IMA_POLICY}"
+
+do_install () {
+ install -d ${D}/${sysconfdir}/ima
+ install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
+}
+
+FILES_${PN} = "${sysconfdir}/ima"
+RDEPENDS_${PN} = "ima-evm-utils"