ima: limit the builtin 'tcb' dont_measure tmpfs policy rule

author Mimi Zohar <zohar@linux.ibm.com>

Fri, 27 Dec 2024 02:27:42 +0000 (21:27 -0500)

committer Mimi Zohar <zohar@linux.ibm.com>

Fri, 3 Jan 2025 15:18:24 +0000 (10:18 -0500)
author Mimi Zohar <zohar@linux.ibm.com>
Fri, 27 Dec 2024 02:27:42 +0000 (21:27 -0500)
committer Mimi Zohar <zohar@linux.ibm.com>
Fri, 3 Jan 2025 15:18:24 +0000 (10:18 -0500)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c

index 21a8e54c383f08a9fc9e478f726cb9d1ab7f34a5..23bbe2c405f0188ec84d4d1c3b252dfa2b5530ae 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
         {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
         {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
         {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
-       {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
+       {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK,
+        .flags = IMA_FSMAGIC | IMA_FUNC},
         {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
         {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
         {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
author	Mimi Zohar <zohar@linux.ibm.com>
	Fri, 27 Dec 2024 02:27:42 +0000 (21:27 -0500)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Fri, 3 Jan 2025 15:18:24 +0000 (10:18 -0500)