# The default external IMA policy

# Don't appraise any file opened.
# However, we cannot write down such a rule,
#     dont_appraise func=FILE_CHECK
#
# because this rule will accidently cause the security.ima
# being deleted in post_setattr() path. In fact, this is a
# real bug in policy engine when handling post_setattr()
# hook. The failure can be triggered in such a way:
# touch /bin/ls
# /bin/ls <- permission denied

# Reduce performance loss
# audit func=FILE_CHECK fowner=0 mask=^MAY_READ
# measure func=FILE_CHECK fowner=0 mask=^MAY_READ

appraise func=MMAP_CHECK euid=0 appraise_type=imasig

appraise func=BPRM_CHECK euid=0 appraise_type=imasig

appraise func=MODULE_CHECK euid=0 appraise_type=imasig

appraise func=FIRMWARE_CHECK euid=0 appraise_type=imasig

# Enforce the subsequent policy file write to be verified by a trusted IMA
# certificate.
appraise func=POLICY_CHECK euid=0 appraise_type=imasig