# With this policy, all files on regular partitions are # appraised. Files with signed IMA hash and normal hash are # accepted. Signed files cannot be modified while hashed files can be # (which will also update the hash). However, signed files can # be deleted, so in practice it is still possible to replace them # with a modified version. # # Without EVM, this is obviously not very secure, so this policy is # just an example and/or basis for further improvements. For that # purpose, some comments show what could be added to make the policy # more secure. # # With EVM the situation might be different because access # to the EVM key can be restricted. # # Files which are appraised are also measured. This allows # debugging whether a file is in policy by looking at # /sys/kernel/security/ima/ascii_runtime_measurements # PROC_SUPER_MAGIC dont_appraise fsmagic=0x9fa0 dont_measure fsmagic=0x9fa0 # SYSFS_MAGIC dont_appraise fsmagic=0x62656572 dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_appraise fsmagic=0x64626720 dont_measure fsmagic=0x64626720 # TMPFS_MAGIC dont_appraise fsmagic=0x01021994 dont_measure fsmagic=0x01021994 # RAMFS_MAGIC dont_appraise fsmagic=0x858458f6 dont_measure fsmagic=0x858458f6 # DEVPTS_SUPER_MAGIC dont_appraise fsmagic=0x1cd1 dont_measure fsmagic=0x1cd1 # BIFMT dont_appraise fsmagic=0x42494e4d dont_measure fsmagic=0x42494e4d # SECURITYFS_MAGIC dont_appraise fsmagic=0x73636673 dont_measure fsmagic=0x73636673 # SELINUXFS_MAGIC dont_appraise fsmagic=0xf97cff8c dont_measure fsmagic=0xf97cff8c # NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) dont_appraise fsmagic=0x6e736673 dont_measure fsmagic=0x6e736673 # SMACK_MAGIC dont_appraise fsmagic=0x43415d53 dont_measure fsmagic=0x43415d53 # CGROUP_SUPER_MAGIC dont_appraise fsmagic=0x27e0eb dont_measure fsmagic=0x27e0eb # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 dont_measure fsmagic=0xde5e81e4 # Special partition, no checking done. # dont_measure fsuuid=a11234... # dont_appraise fsuuid=a11243... # Special immutable group. # appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 # All executables must be signed - too strict, we need to # allow installing executables on the device. # appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC # appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC # Default rule. Would be needed also when other rules were added that # determine what to do in case of reading (mask=MAY_READ or # mask=MAY_EXEC) because otherwise writing does not update the file # hash. appraise measure