Skip to content

Commit c195372

Browse files
pevikpevik
committed
IMA: Add TCB policy as an example for ima_measurements.sh
ima_policy=tcb specification taken from IMA docs [1], with updating tmpfs policy to limit dont_measure to func=FILE_CHECK. This allows to do extra measurements, e.g. kexec boot command line, see kernel commit 7eef7c8bac9a ("ima: limit the builtin 'tcb' dont_measure tmpfs policy rule") [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-policy-tcb Link: https://lore.kernel.org/ltp/[email protected]/ Reviewed-by: Mimi Zohar <[email protected]> Signed-off-by: Petr Vorel <[email protected]>
1 parent ba17059 commit c195372

File tree

3 files changed

+33
-2
lines changed

3 files changed

+33
-2
lines changed

testcases/kernel/security/integrity/ima/datafiles/Makefile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# SPDX-License-Identifier: GPL-2.0-or-later
2-
# Copyright (c) Linux Test Project, 2019-2020
2+
# Copyright (c) Linux Test Project, 2019-2025
33
# Copyright (c) 2020 Microsoft Corporation
44
# Copyright (C) 2009, Cisco Systems Inc.
55
# Ngie Cooper, July 2009
@@ -8,6 +8,6 @@ top_srcdir ?= ../../../../../..
88

99
include $(top_srcdir)/include/mk/env_pre.mk
1010

11-
SUBDIRS := ima_kexec ima_keys ima_policy ima_selinux
11+
SUBDIRS := ima_kexec ima_keys ima_measurements ima_policy ima_selinux
1212

1313
include $(top_srcdir)/include/mk/generic_trunk_target.mk

testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# SPDX-License-Identifier: GPL-2.0-or-later
2+
# Copyright (c) Linux Test Project, 2025
3+
4+
top_srcdir ?= ../../../../../../..
5+
6+
include $(top_srcdir)/include/mk/env_pre.mk
7+
8+
INSTALL_DIR := testcases/data/ima_measurements
9+
INSTALL_TARGETS := *.policy
10+
11+
include $(top_srcdir)/include/mk/generic_leaf_target.mk

testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
dont_measure fsmagic=0x9fa0
2+
dont_measure fsmagic=0x62656572
3+
dont_measure fsmagic=0x64626720
4+
dont_measure fsmagic=0x1021994 func=FILE_CHECK
5+
dont_measure fsmagic=0x1cd1
6+
dont_measure fsmagic=0x42494e4d
7+
dont_measure fsmagic=0x73636673
8+
dont_measure fsmagic=0xf97cff8c
9+
dont_measure fsmagic=0x43415d53
10+
dont_measure fsmagic=0x27e0eb
11+
dont_measure fsmagic=0x63677270
12+
dont_measure fsmagic=0x6e736673
13+
dont_measure fsmagic=0xde5e81e4
14+
measure func=MMAP_CHECK mask=MAY_EXEC
15+
measure func=BPRM_CHECK mask=MAY_EXEC
16+
measure func=FILE_CHECK mask=^MAY_READ euid=0
17+
measure func=FILE_CHECK mask=^MAY_READ uid=0
18+
measure func=MODULE_CHECK
19+
measure func=FIRMWARE_CHECK
20+
measure func=POLICY_CHECK

0 commit comments

Comments
 (0)