mirror of
https://git.yoctoproject.org/meta-security
synced 2026-05-07 16:59:28 +00:00
meta-integrity: port over from meta-intel-iot-security
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Armin Kuster
@@ -0,0 +1,16 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU
|
||||
Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6
|
||||
IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p
|
||||
OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1
|
||||
lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW
|
||||
HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV
|
||||
aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA
|
||||
TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue
|
||||
WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb
|
||||
SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1
|
||||
xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+
|
||||
CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q
|
||||
1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ
|
||||
3vVaxg2EfqB1
|
||||
-----END PRIVATE KEY-----
|
||||
Binary file not shown.
@@ -0,0 +1,29 @@
|
||||
#
|
||||
# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
|
||||
#
|
||||
# Do not measure anything, but appraise everything
|
||||
#
|
||||
# PROC_SUPER_MAGIC
|
||||
dont_appraise fsmagic=0x9fa0
|
||||
# SYSFS_MAGIC
|
||||
dont_appraise fsmagic=0x62656572
|
||||
# DEBUGFS_MAGIC
|
||||
dont_appraise fsmagic=0x64626720
|
||||
# TMPFS_MAGIC
|
||||
dont_appraise fsmagic=0x01021994
|
||||
# RAMFS_MAGIC
|
||||
dont_appraise fsmagic=0x858458f6
|
||||
# DEVPTS_SUPER_MAGIC
|
||||
dont_appraise fsmagic=0x1cd1
|
||||
# BIFMT
|
||||
dont_appraise fsmagic=0x42494e4d
|
||||
# SECURITYFS_MAGIC
|
||||
dont_appraise fsmagic=0x73636673
|
||||
# SELINUXFS_MAGIC
|
||||
dont_appraise fsmagic=0xf97cff8c
|
||||
# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
|
||||
dont_appraise fsmagic=0x6e736673
|
||||
# EFIVARFS_MAGIC
|
||||
dont_appraise fsmagic=0xde5e81e4
|
||||
|
||||
appraise
|
||||
@@ -0,0 +1,77 @@
|
||||
# With this policy, all files on regular partitions are
|
||||
# appraised. Files with signed IMA hash and normal hash are
|
||||
# accepted. Signed files cannot be modified while hashed files can be
|
||||
# (which will also update the hash). However, signed files can
|
||||
# be deleted, so in practice it is still possible to replace them
|
||||
# with a modified version.
|
||||
#
|
||||
# Without EVM, this is obviously not very secure, so this policy is
|
||||
# just an example and/or basis for further improvements. For that
|
||||
# purpose, some comments show what could be added to make the policy
|
||||
# more secure.
|
||||
#
|
||||
# With EVM the situation might be different because access
|
||||
# to the EVM key can be restricted.
|
||||
#
|
||||
# Files which are appraised are also measured. This allows
|
||||
# debugging whether a file is in policy by looking at
|
||||
# /sys/kernel/security/ima/ascii_runtime_measurements
|
||||
|
||||
# PROC_SUPER_MAGIC
|
||||
dont_appraise fsmagic=0x9fa0
|
||||
dont_measure fsmagic=0x9fa0
|
||||
# SYSFS_MAGIC
|
||||
dont_appraise fsmagic=0x62656572
|
||||
dont_measure fsmagic=0x62656572
|
||||
# DEBUGFS_MAGIC
|
||||
dont_appraise fsmagic=0x64626720
|
||||
dont_measure fsmagic=0x64626720
|
||||
# TMPFS_MAGIC
|
||||
dont_appraise fsmagic=0x01021994
|
||||
dont_measure fsmagic=0x01021994
|
||||
# RAMFS_MAGIC
|
||||
dont_appraise fsmagic=0x858458f6
|
||||
dont_measure fsmagic=0x858458f6
|
||||
# DEVPTS_SUPER_MAGIC
|
||||
dont_appraise fsmagic=0x1cd1
|
||||
dont_measure fsmagic=0x1cd1
|
||||
# BIFMT
|
||||
dont_appraise fsmagic=0x42494e4d
|
||||
dont_measure fsmagic=0x42494e4d
|
||||
# SECURITYFS_MAGIC
|
||||
dont_appraise fsmagic=0x73636673
|
||||
dont_measure fsmagic=0x73636673
|
||||
# SELINUXFS_MAGIC
|
||||
dont_appraise fsmagic=0xf97cff8c
|
||||
dont_measure fsmagic=0xf97cff8c
|
||||
# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
|
||||
dont_appraise fsmagic=0x6e736673
|
||||
dont_measure fsmagic=0x6e736673
|
||||
# SMACK_MAGIC
|
||||
dont_appraise fsmagic=0x43415d53
|
||||
dont_measure fsmagic=0x43415d53
|
||||
# CGROUP_SUPER_MAGIC
|
||||
dont_appraise fsmagic=0x27e0eb
|
||||
dont_measure fsmagic=0x27e0eb
|
||||
# EFIVARFS_MAGIC
|
||||
dont_appraise fsmagic=0xde5e81e4
|
||||
dont_measure fsmagic=0xde5e81e4
|
||||
|
||||
# Special partition, no checking done.
|
||||
# dont_measure fsuuid=a11234...
|
||||
# dont_appraise fsuuid=a11243...
|
||||
|
||||
# Special immutable group.
|
||||
# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200
|
||||
|
||||
# All executables must be signed - too strict, we need to
|
||||
# allow installing executables on the device.
|
||||
# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
|
||||
# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC
|
||||
|
||||
# Default rule. Would be needed also when other rules were added that
|
||||
# determine what to do in case of reading (mask=MAY_READ or
|
||||
# mask=MAY_EXEC) because otherwise writing does not update the file
|
||||
# hash.
|
||||
appraise
|
||||
measure
|
||||
@@ -0,0 +1,4 @@
|
||||
# Very simple policy demonstrating the systemd policy loading bug
|
||||
# (policy with one line works, two lines don't).
|
||||
dont_appraise fsmagic=0x9fa0
|
||||
dont_appraise fsmagic=0x62656572
|
||||
Reference in New Issue
Block a user