aboutsummaryrefslogtreecommitdiffstats
path: root/meta-integrity/data/ima_policy_hashed
blob: 7f89c8d98963ddaef512c01b23cce702bfe88427 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# With this policy, all files on regular partitions are
# appraised. Files with signed IMA hash and normal hash are
# accepted. Signed files cannot be modified while hashed files can be
# (which will also update the hash). However, signed files can
# be deleted, so in practice it is still possible to replace them
# with a modified version.
#
# Without EVM, this is obviously not very secure, so this policy is
# just an example and/or basis for further improvements. For that
# purpose, some comments show what could be added to make the policy
# more secure.
#
# With EVM the situation might be different because access
# to the EVM key can be restricted.
#
# Files which are appraised are also measured. This allows
# debugging whether a file is in policy by looking at
# /sys/kernel/security/ima/ascii_runtime_measurements

# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_appraise fsmagic=0x62656572
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_appraise fsmagic=0x64626720
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_appraise fsmagic=0x01021994
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_appraise fsmagic=0x858458f6
dont_measure fsmagic=0x858458f6
# DEVPTS_SUPER_MAGIC
dont_appraise fsmagic=0x1cd1
dont_measure fsmagic=0x1cd1
# BIFMT
dont_appraise fsmagic=0x42494e4d
dont_measure fsmagic=0x42494e4d
# SECURITYFS_MAGIC
dont_appraise fsmagic=0x73636673
dont_measure fsmagic=0x73636673
# SELINUXFS_MAGIC
dont_appraise fsmagic=0xf97cff8c
dont_measure fsmagic=0xf97cff8c
# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
dont_appraise fsmagic=0x6e736673
dont_measure fsmagic=0x6e736673
# SMACK_MAGIC
dont_appraise fsmagic=0x43415d53
dont_measure fsmagic=0x43415d53
# CGROUP_SUPER_MAGIC
dont_appraise fsmagic=0x27e0eb
dont_measure fsmagic=0x27e0eb
# EFIVARFS_MAGIC
dont_appraise fsmagic=0xde5e81e4
dont_measure fsmagic=0xde5e81e4

# Special partition, no checking done.
# dont_measure  fsuuid=a11234...
# dont_appraise fsuuid=a11243...

# Special immutable group.
# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200

# All executables must be signed - too strict, we need to
# allow installing executables on the device.
# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC

# Default rule. Would be needed also when other rules were added that
# determine what to do in case of reading (mask=MAY_READ or
# mask=MAY_EXEC) because otherwise writing does not update the file
# hash.
appraise
measure