data: remove policies

Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2019-05-25 23:12:35 -0700
committer: Armin Kuster <akuster808@gmail.com> 2019-05-28 07:38:52 -0700
commit: d1d4e78708d955d3779fb8ae7c3a531bbfb55050 (patch)
tree: 91b58d3200d46ba464eff53217568be838598c64
parent: cf0123e130696048feb8ddb1b21b214d222bf582 (diff)
download: meta-security-d1d4e78708d955d3779fb8ae7c3a531bbfb55050.tar.gz
3 files changed, 0 insertions, 110 deletions
diff --git a/meta-integrity/data/ima_policy_appraise_all b/meta-integrity/data/ima_policy_appraise_all
deleted file mode 100644
index 36e71a7..0000000
--- a/meta-integrity/data/ima_policy_appraise_all
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
-# 
-# Do not measure anything, but appraise everything
-#
-# PROC_SUPER_MAGIC
-dont_appraise fsmagic=0x9fa0
-# SYSFS_MAGIC
-dont_appraise fsmagic=0x62656572
-# DEBUGFS_MAGIC
-dont_appraise fsmagic=0x64626720
-# TMPFS_MAGIC
-dont_appraise fsmagic=0x01021994
-# RAMFS_MAGIC
-dont_appraise fsmagic=0x858458f6
-# DEVPTS_SUPER_MAGIC
-dont_appraise fsmagic=0x1cd1
-# BIFMT
-dont_appraise fsmagic=0x42494e4d
-# SECURITYFS_MAGIC
-dont_appraise fsmagic=0x73636673
-# SELINUXFS_MAGIC
-dont_appraise fsmagic=0xf97cff8c
-# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
-dont_appraise fsmagic=0x6e736673
-# EFIVARFS_MAGIC
-dont_appraise fsmagic=0xde5e81e4
-appraise
diff --git a/meta-integrity/data/ima_policy_hashed b/meta-integrity/data/ima_policy_hashed
deleted file mode 100644
index 7f89c8d..0000000
--- a/meta-integrity/data/ima_policy_hashed
+++ /dev/null
@@ -1,77 +0,0 @@
-# With this policy, all files on regular partitions are
-# appraised. Files with signed IMA hash and normal hash are
-# accepted. Signed files cannot be modified while hashed files can be
-# (which will also update the hash). However, signed files can
-# be deleted, so in practice it is still possible to replace them
-# with a modified version.
-#
-# Without EVM, this is obviously not very secure, so this policy is
-# just an example and/or basis for further improvements. For that
-# purpose, some comments show what could be added to make the policy
-# more secure.
-#
-# With EVM the situation might be different because access
-# to the EVM key can be restricted.
-#
-# Files which are appraised are also measured. This allows
-# debugging whether a file is in policy by looking at
-# /sys/kernel/security/ima/ascii_runtime_measurements
-# PROC_SUPER_MAGIC
-dont_appraise fsmagic=0x9fa0
-dont_measure fsmagic=0x9fa0
-# SYSFS_MAGIC
-dont_appraise fsmagic=0x62656572
-dont_measure fsmagic=0x62656572
-# DEBUGFS_MAGIC
-dont_appraise fsmagic=0x64626720
-dont_measure fsmagic=0x64626720
-# TMPFS_MAGIC
-dont_appraise fsmagic=0x01021994
-dont_measure fsmagic=0x01021994
-# RAMFS_MAGIC
-dont_appraise fsmagic=0x858458f6
-dont_measure fsmagic=0x858458f6
-# DEVPTS_SUPER_MAGIC
-dont_appraise fsmagic=0x1cd1
-dont_measure fsmagic=0x1cd1
-# BIFMT
-dont_appraise fsmagic=0x42494e4d
-dont_measure fsmagic=0x42494e4d
-# SECURITYFS_MAGIC
-dont_appraise fsmagic=0x73636673
-dont_measure fsmagic=0x73636673
-# SELINUXFS_MAGIC
-dont_appraise fsmagic=0xf97cff8c
-dont_measure fsmagic=0xf97cff8c
-# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
-dont_appraise fsmagic=0x6e736673
-dont_measure fsmagic=0x6e736673
-# SMACK_MAGIC
-dont_appraise fsmagic=0x43415d53
-dont_measure fsmagic=0x43415d53
-# CGROUP_SUPER_MAGIC
-dont_appraise fsmagic=0x27e0eb
-dont_measure fsmagic=0x27e0eb
-# EFIVARFS_MAGIC
-dont_appraise fsmagic=0xde5e81e4
-dont_measure fsmagic=0xde5e81e4
-# Special partition, no checking done.
-# dont_measure  fsuuid=a11234...
-# dont_appraise fsuuid=a11243...
-# Special immutable group.
-# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200
-# All executables must be signed - too strict, we need to
-# allow installing executables on the device.
-# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
-# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC
-# Default rule. Would be needed also when other rules were added that
-# determine what to do in case of reading (mask=MAY_READ or
-# mask=MAY_EXEC) because otherwise writing does not update the file
-# hash.
-appraise
-measure
diff --git a/meta-integrity/data/ima_policy_simple b/meta-integrity/data/ima_policy_simple
deleted file mode 100644
index 38ca8f5..0000000
--- a/meta-integrity/data/ima_policy_simple
+++ /dev/null
@@ -1,4 +0,0 @@
-# Very simple policy demonstrating the systemd policy loading bug
-# (policy with one line works, two lines don't).
-dont_appraise fsmagic=0x9fa0
-dont_appraise fsmagic=0x62656572
author	Armin Kuster <akuster808@gmail.com>	2019-05-25 23:12:35 -0700
committer	Armin Kuster <akuster808@gmail.com>	2019-05-28 07:38:52 -0700
commit	d1d4e78708d955d3779fb8ae7c3a531bbfb55050 (patch)
tree	91b58d3200d46ba464eff53217568be838598c64
parent	cf0123e130696048feb8ddb1b21b214d222bf582 (diff)
download	meta-security-d1d4e78708d955d3779fb8ae7c3a531bbfb55050.tar.gz

diff --git a/meta-integrity/data/ima_policy_appraise_all b/meta-integrity/data/ima_policy_appraise_all deleted file mode 100644 index 36e71a7..0000000 --- a/meta-integrity/data/ima_policy_appraise_all +++ /dev/null
@@ -1,29 +0,0 @@
1	#
2	# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
3	#
4	# Do not measure anything, but appraise everything
5	#
6	# PROC_SUPER_MAGIC
7	dont_appraise fsmagic=0x9fa0
8	# SYSFS_MAGIC
9	dont_appraise fsmagic=0x62656572
10	# DEBUGFS_MAGIC
11	dont_appraise fsmagic=0x64626720
12	# TMPFS_MAGIC
13	dont_appraise fsmagic=0x01021994
14	# RAMFS_MAGIC
15	dont_appraise fsmagic=0x858458f6
16	# DEVPTS_SUPER_MAGIC
17	dont_appraise fsmagic=0x1cd1
18	# BIFMT
19	dont_appraise fsmagic=0x42494e4d
20	# SECURITYFS_MAGIC
21	dont_appraise fsmagic=0x73636673
22	# SELINUXFS_MAGIC
23	dont_appraise fsmagic=0xf97cff8c
24	# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
25	dont_appraise fsmagic=0x6e736673
26	# EFIVARFS_MAGIC
27	dont_appraise fsmagic=0xde5e81e4
28
29	appraise


diff --git a/meta-integrity/data/ima_policy_hashed b/meta-integrity/data/ima_policy_hashed deleted file mode 100644 index 7f89c8d..0000000 --- a/meta-integrity/data/ima_policy_hashed +++ /dev/null
@@ -1,77 +0,0 @@
1	# With this policy, all files on regular partitions are
2	# appraised. Files with signed IMA hash and normal hash are
3	# accepted. Signed files cannot be modified while hashed files can be
4	# (which will also update the hash). However, signed files can
5	# be deleted, so in practice it is still possible to replace them
6	# with a modified version.
7	#
8	# Without EVM, this is obviously not very secure, so this policy is
9	# just an example and/or basis for further improvements. For that
10	# purpose, some comments show what could be added to make the policy
11	# more secure.
12	#
13	# With EVM the situation might be different because access
14	# to the EVM key can be restricted.
15	#
16	# Files which are appraised are also measured. This allows
17	# debugging whether a file is in policy by looking at
18	# /sys/kernel/security/ima/ascii_runtime_measurements
19
20	# PROC_SUPER_MAGIC
21	dont_appraise fsmagic=0x9fa0
22	dont_measure fsmagic=0x9fa0
23	# SYSFS_MAGIC
24	dont_appraise fsmagic=0x62656572
25	dont_measure fsmagic=0x62656572
26	# DEBUGFS_MAGIC
27	dont_appraise fsmagic=0x64626720
28	dont_measure fsmagic=0x64626720
29	# TMPFS_MAGIC
30	dont_appraise fsmagic=0x01021994
31	dont_measure fsmagic=0x01021994
32	# RAMFS_MAGIC
33	dont_appraise fsmagic=0x858458f6
34	dont_measure fsmagic=0x858458f6
35	# DEVPTS_SUPER_MAGIC
36	dont_appraise fsmagic=0x1cd1
37	dont_measure fsmagic=0x1cd1
38	# BIFMT
39	dont_appraise fsmagic=0x42494e4d
40	dont_measure fsmagic=0x42494e4d
41	# SECURITYFS_MAGIC
42	dont_appraise fsmagic=0x73636673
43	dont_measure fsmagic=0x73636673
44	# SELINUXFS_MAGIC
45	dont_appraise fsmagic=0xf97cff8c
46	dont_measure fsmagic=0xf97cff8c
47	# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
48	dont_appraise fsmagic=0x6e736673
49	dont_measure fsmagic=0x6e736673
50	# SMACK_MAGIC
51	dont_appraise fsmagic=0x43415d53
52	dont_measure fsmagic=0x43415d53
53	# CGROUP_SUPER_MAGIC
54	dont_appraise fsmagic=0x27e0eb
55	dont_measure fsmagic=0x27e0eb
56	# EFIVARFS_MAGIC
57	dont_appraise fsmagic=0xde5e81e4
58	dont_measure fsmagic=0xde5e81e4
59
60	# Special partition, no checking done.
61	# dont_measure fsuuid=a11234...
62	# dont_appraise fsuuid=a11243...
63
64	# Special immutable group.
65	# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200
66
67	# All executables must be signed - too strict, we need to
68	# allow installing executables on the device.
69	# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
70	# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC
71
72	# Default rule. Would be needed also when other rules were added that
73	# determine what to do in case of reading (mask=MAY_READ or
74	# mask=MAY_EXEC) because otherwise writing does not update the file
75	# hash.
76	appraise
77	measure


diff --git a/meta-integrity/data/ima_policy_simple b/meta-integrity/data/ima_policy_simple deleted file mode 100644 index 38ca8f5..0000000 --- a/meta-integrity/data/ima_policy_simple +++ /dev/null
@@ -1,4 +0,0 @@
1	# Very simple policy demonstrating the systemd policy loading bug
2	# (policy with one line works, two lines don't).
3	dont_appraise fsmagic=0x9fa0
4	dont_appraise fsmagic=0x62656572