diff options
| -rw-r--r-- | meta-integrity/data/ima_policy_appraise_all | 29 | ||||
| -rw-r--r-- | meta-integrity/data/ima_policy_hashed | 77 | ||||
| -rw-r--r-- | meta-integrity/data/ima_policy_simple | 4 |
3 files changed, 0 insertions, 110 deletions
diff --git a/meta-integrity/data/ima_policy_appraise_all b/meta-integrity/data/ima_policy_appraise_all deleted file mode 100644 index 36e71a7..0000000 --- a/meta-integrity/data/ima_policy_appraise_all +++ /dev/null @@ -1,29 +0,0 @@ -# -# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) -# -# Do not measure anything, but appraise everything -# -# PROC_SUPER_MAGIC -dont_appraise fsmagic=0x9fa0 -# SYSFS_MAGIC -dont_appraise fsmagic=0x62656572 -# DEBUGFS_MAGIC -dont_appraise fsmagic=0x64626720 -# TMPFS_MAGIC -dont_appraise fsmagic=0x01021994 -# RAMFS_MAGIC -dont_appraise fsmagic=0x858458f6 -# DEVPTS_SUPER_MAGIC -dont_appraise fsmagic=0x1cd1 -# BIFMT -dont_appraise fsmagic=0x42494e4d -# SECURITYFS_MAGIC -dont_appraise fsmagic=0x73636673 -# SELINUXFS_MAGIC -dont_appraise fsmagic=0xf97cff8c -# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) -dont_appraise fsmagic=0x6e736673 -# EFIVARFS_MAGIC -dont_appraise fsmagic=0xde5e81e4 - -appraise diff --git a/meta-integrity/data/ima_policy_hashed b/meta-integrity/data/ima_policy_hashed deleted file mode 100644 index 7f89c8d..0000000 --- a/meta-integrity/data/ima_policy_hashed +++ /dev/null @@ -1,77 +0,0 @@ -# With this policy, all files on regular partitions are -# appraised. Files with signed IMA hash and normal hash are -# accepted. Signed files cannot be modified while hashed files can be -# (which will also update the hash). However, signed files can -# be deleted, so in practice it is still possible to replace them -# with a modified version. -# -# Without EVM, this is obviously not very secure, so this policy is -# just an example and/or basis for further improvements. For that -# purpose, some comments show what could be added to make the policy -# more secure. -# -# With EVM the situation might be different because access -# to the EVM key can be restricted. -# -# Files which are appraised are also measured. This allows -# debugging whether a file is in policy by looking at -# /sys/kernel/security/ima/ascii_runtime_measurements - -# PROC_SUPER_MAGIC -dont_appraise fsmagic=0x9fa0 -dont_measure fsmagic=0x9fa0 -# SYSFS_MAGIC -dont_appraise fsmagic=0x62656572 -dont_measure fsmagic=0x62656572 -# DEBUGFS_MAGIC -dont_appraise fsmagic=0x64626720 -dont_measure fsmagic=0x64626720 -# TMPFS_MAGIC -dont_appraise fsmagic=0x01021994 -dont_measure fsmagic=0x01021994 -# RAMFS_MAGIC -dont_appraise fsmagic=0x858458f6 -dont_measure fsmagic=0x858458f6 -# DEVPTS_SUPER_MAGIC -dont_appraise fsmagic=0x1cd1 -dont_measure fsmagic=0x1cd1 -# BIFMT -dont_appraise fsmagic=0x42494e4d -dont_measure fsmagic=0x42494e4d -# SECURITYFS_MAGIC -dont_appraise fsmagic=0x73636673 -dont_measure fsmagic=0x73636673 -# SELINUXFS_MAGIC -dont_appraise fsmagic=0xf97cff8c -dont_measure fsmagic=0xf97cff8c -# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) -dont_appraise fsmagic=0x6e736673 -dont_measure fsmagic=0x6e736673 -# SMACK_MAGIC -dont_appraise fsmagic=0x43415d53 -dont_measure fsmagic=0x43415d53 -# CGROUP_SUPER_MAGIC -dont_appraise fsmagic=0x27e0eb -dont_measure fsmagic=0x27e0eb -# EFIVARFS_MAGIC -dont_appraise fsmagic=0xde5e81e4 -dont_measure fsmagic=0xde5e81e4 - -# Special partition, no checking done. -# dont_measure fsuuid=a11234... -# dont_appraise fsuuid=a11243... - -# Special immutable group. -# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 - -# All executables must be signed - too strict, we need to -# allow installing executables on the device. -# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC -# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC - -# Default rule. Would be needed also when other rules were added that -# determine what to do in case of reading (mask=MAY_READ or -# mask=MAY_EXEC) because otherwise writing does not update the file -# hash. -appraise -measure diff --git a/meta-integrity/data/ima_policy_simple b/meta-integrity/data/ima_policy_simple deleted file mode 100644 index 38ca8f5..0000000 --- a/meta-integrity/data/ima_policy_simple +++ /dev/null @@ -1,4 +0,0 @@ -# Very simple policy demonstrating the systemd policy loading bug -# (policy with one line works, two lines don't). -dont_appraise fsmagic=0x9fa0 -dont_appraise fsmagic=0x62656572 |