Brad Bishop | 15ae250 | 2019-06-18 21:44:24 -0400 | [diff] [blame^] | 1 | # With this policy, all files on regular partitions are |
| 2 | # appraised. Files with signed IMA hash and normal hash are |
| 3 | # accepted. Signed files cannot be modified while hashed files can be |
| 4 | # (which will also update the hash). However, signed files can |
| 5 | # be deleted, so in practice it is still possible to replace them |
| 6 | # with a modified version. |
| 7 | # |
| 8 | # Without EVM, this is obviously not very secure, so this policy is |
| 9 | # just an example and/or basis for further improvements. For that |
| 10 | # purpose, some comments show what could be added to make the policy |
| 11 | # more secure. |
| 12 | # |
| 13 | # With EVM the situation might be different because access |
| 14 | # to the EVM key can be restricted. |
| 15 | # |
| 16 | # Files which are appraised are also measured. This allows |
| 17 | # debugging whether a file is in policy by looking at |
| 18 | # /sys/kernel/security/ima/ascii_runtime_measurements |
| 19 | |
| 20 | # PROC_SUPER_MAGIC |
| 21 | dont_appraise fsmagic=0x9fa0 |
| 22 | dont_measure fsmagic=0x9fa0 |
| 23 | # SYSFS_MAGIC |
| 24 | dont_appraise fsmagic=0x62656572 |
| 25 | dont_measure fsmagic=0x62656572 |
| 26 | # DEBUGFS_MAGIC |
| 27 | dont_appraise fsmagic=0x64626720 |
| 28 | dont_measure fsmagic=0x64626720 |
| 29 | # TMPFS_MAGIC |
| 30 | dont_appraise fsmagic=0x01021994 |
| 31 | dont_measure fsmagic=0x01021994 |
| 32 | # RAMFS_MAGIC |
| 33 | dont_appraise fsmagic=0x858458f6 |
| 34 | dont_measure fsmagic=0x858458f6 |
| 35 | # DEVPTS_SUPER_MAGIC |
| 36 | dont_appraise fsmagic=0x1cd1 |
| 37 | dont_measure fsmagic=0x1cd1 |
| 38 | # BIFMT |
| 39 | dont_appraise fsmagic=0x42494e4d |
| 40 | dont_measure fsmagic=0x42494e4d |
| 41 | # SECURITYFS_MAGIC |
| 42 | dont_appraise fsmagic=0x73636673 |
| 43 | dont_measure fsmagic=0x73636673 |
| 44 | # SELINUXFS_MAGIC |
| 45 | dont_appraise fsmagic=0xf97cff8c |
| 46 | dont_measure fsmagic=0xf97cff8c |
| 47 | # NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) |
| 48 | dont_appraise fsmagic=0x6e736673 |
| 49 | dont_measure fsmagic=0x6e736673 |
| 50 | # SMACK_MAGIC |
| 51 | dont_appraise fsmagic=0x43415d53 |
| 52 | dont_measure fsmagic=0x43415d53 |
| 53 | # CGROUP_SUPER_MAGIC |
| 54 | dont_appraise fsmagic=0x27e0eb |
| 55 | dont_measure fsmagic=0x27e0eb |
| 56 | # EFIVARFS_MAGIC |
| 57 | dont_appraise fsmagic=0xde5e81e4 |
| 58 | dont_measure fsmagic=0xde5e81e4 |
| 59 | |
| 60 | # Special partition, no checking done. |
| 61 | # dont_measure fsuuid=a11234... |
| 62 | # dont_appraise fsuuid=a11243... |
| 63 | |
| 64 | # Special immutable group. |
| 65 | # appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 |
| 66 | |
| 67 | # All executables must be signed - too strict, we need to |
| 68 | # allow installing executables on the device. |
| 69 | # appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC |
| 70 | # appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC |
| 71 | |
| 72 | # Default rule. Would be needed also when other rules were added that |
| 73 | # determine what to do in case of reading (mask=MAY_READ or |
| 74 | # mask=MAY_EXEC) because otherwise writing does not update the file |
| 75 | # hash. |
| 76 | appraise |
| 77 | measure |