[PATCH] IMA: Minimal IMA policy and boot param for TCB IMA policy

[PATCH] IMA: Minimal IMA policy and boot param for TCB IMA policy

[Eric Paris]

The IMA TCB policy is dangerous.  A normal use can use all of a system's
memory (which cannot be freed) simply by building and running lots of
executables.  The TCB policy is also nearly useless because logging in as root
often causes a policy violation when dealing with utmp, thus rendering the
measurements meaningless.

There is no good fix for this in the kernel.  A full TCB policy would need to
be loaded in userspace using LSM rule matching to get both a protected and
useful system.  But, if too little is measured before userspace can load a real
policy one again ends up with a meaningless set of measurements.  One option
would be to put the policy load inside the initrd in order to get it early
enough in the boot sequence to be useful, but this runs into trouble with the
LSM.  For IMA to measure the LSM policy and the LSM policy loading mechanism
it needs rules to do so, but we already talked about problems with defaulting
to such broad rules....

IMA also depends on the files being measured to be on an FS which implements
and supports i_version.  Since the only FS with this support (ext4) doesn't
even use it by default it seems silly to have any IMA rules by default.

This should reduce the performance overhead of IMA to near 0 while still
letting users who choose to configure their machine as such to inclue the
ima_tcb kernel paramenter and get measurements during boot before they can
load a customized, reasonable policy in userspace.

Signed-off-by: Eric Paris <eparis@redhat.com>
---

 Documentation/kernel-parameters.txt |    6 ++++++
 security/integrity/ima/ima_policy.c |   30 +++++++++++++++++++++++++++---
 2 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 95c523a..6a90c27 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -914,6 +914,12 @@ and is between 256 and 4096 characters. It is defined in the file
 			Formt: { "sha1" | "md5" }
 			default: "sha1"
 
+	ima_tcb		[IMA]
+			Load a policy which meets the needs of the Trusted
+			Computing Base.  This means IMA will measure all
+			programs exec'd, files mmap'd for exec, and all files
+			opened for read by uid=0.
+
 	in2000=		[HW,SCSI]
 			See header of drivers/scsi/in2000.c.
 
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index fd72d77..e127839 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -45,9 +45,17 @@ struct ima_measure_rule_entry {
 	} lsm[MAX_LSM_RULES];
 };
 
-/* Without LSM specific knowledge, the default policy can only be
+/*
+ * Without LSM specific knowledge, the default policy can only be
  * written in terms of .action, .func, .mask, .fsmagic, and .uid
  */
+
+/*
+ * The minimum rule set to allow for full TCB coverage.  Measures all files
+ * opened or mmap for exec and everything read by root.  Dangerous because
+ * normal users can easily run the machine out of memory simply building
+ * and running executables.
+ */
 static struct ima_measure_rule_entry default_rules[] = {
 	{.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
@@ -59,6 +67,8 @@ static struct ima_measure_rule_entry default_rules[] = {
 	 .flags = IMA_FUNC | IMA_MASK},
 	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
 	 .flags = IMA_FUNC | IMA_MASK},
+	{.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
+	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 };
 
 static LIST_HEAD(measure_default_rules);
@@ -67,6 +77,14 @@ static struct list_head *ima_measure;
 
 static DEFINE_MUTEX(ima_measure_mutex);
 
+static bool ima_use_tcb __initdata;
+static int __init default_policy_setup(char *str)
+{
+	ima_use_tcb = 1;
+	return 1;
+}
+__setup("ima_tcb", default_policy_setup);
+
 /**
  * ima_match_rules - determine whether an inode matches the measure rule.
  * @rule: a pointer to a rule
@@ -162,9 +180,15 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
  */
 void __init ima_init_policy(void)
 {
-	int i;
+	int i, entries;
+
+	/* if !ima_use_tcb set entries = 0 so we load NO default rules */
+	if (ima_use_tcb)
+		entries = ARRAY_SIZE(default_rules);
+	else
+		entries = 0;
 
-	for (i = 0; i < ARRAY_SIZE(default_rules); i++)
+	for (i = 0; i < entries; i++)
 		list_add_tail(&default_rules[i].list, &measure_default_rules);
 	ima_measure = &measure_default_rules;
 }

Re: [PATCH] IMA: Minimal IMA policy and boot param for TCB IMA policy

[Mimi Zohar]

On Thu, 2009-05-21 at 15:47 -0400, Eric Paris wrote:
> The IMA TCB policy is dangerous.  A normal use can use all of a system's
> memory (which cannot be freed) simply by building and running lots of
> executables.  The TCB policy is also nearly useless because logging in as root
> often causes a policy violation when dealing with utmp, thus rendering the
> measurements meaningless.
> 
> There is no good fix for this in the kernel.  A full TCB policy would need to
> be loaded in userspace using LSM rule matching to get both a protected and
> useful system.  But, if too little is measured before userspace can load a real
> policy one again ends up with a meaningless set of measurements.  One option
> would be to put the policy load inside the initrd in order to get it early
> enough in the boot sequence to be useful, but this runs into trouble with the
> LSM.  For IMA to measure the LSM policy and the LSM policy loading mechanism
> it needs rules to do so, but we already talked about problems with defaulting
> to such broad rules....
> 
> IMA also depends on the files being measured to be on an FS which implements
> and supports i_version.  Since the only FS with this support (ext4) doesn't
> even use it by default it seems silly to have any IMA rules by default.

IMA measures files based on policy.  It re-measures files based on
changes to i_version, which is incremented only if the filesystem is
mounted with 'iversion' support. (ext3 can be mounted with iversion.) In
order to re-measure any file in the TCB that changes, the iversion
option needs to be added in rc.sysinit, when the root filesystem is
remounted, and in /etc/fstab for other filesystems.

> This should reduce the performance overhead of IMA to near 0 while still
> letting users who choose to configure their machine as such to inclue the
> ima_tcb kernel paramenter and get measurements during boot before they can
> load a customized, reasonable policy in userspace.
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Mimi Zohar <zohar@us.ibm.com>
> ---
> 
>  Documentation/kernel-parameters.txt |    6 ++++++
>  security/integrity/ima/ima_policy.c |   30 +++++++++++++++++++++++++++---
>  2 files changed, 33 insertions(+), 3 deletions(-)
> 
> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> index 95c523a..6a90c27 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -914,6 +914,12 @@ and is between 256 and 4096 characters. It is defined in the file
>  			Formt: { "sha1" | "md5" }
>  			default: "sha1"
> 
> +	ima_tcb		[IMA]
> +			Load a policy which meets the needs of the Trusted
> +			Computing Base.  This means IMA will measure all
> +			programs exec'd, files mmap'd for exec, and all files
> +			opened for read by uid=0.
> +
>  	in2000=		[HW,SCSI]
>  			See header of drivers/scsi/in2000.c.
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index fd72d77..e127839 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -45,9 +45,17 @@ struct ima_measure_rule_entry {
>  	} lsm[MAX_LSM_RULES];
>  };
> 
> -/* Without LSM specific knowledge, the default policy can only be
> +/*
> + * Without LSM specific knowledge, the default policy can only be
>   * written in terms of .action, .func, .mask, .fsmagic, and .uid
>   */
> +
> +/*
> + * The minimum rule set to allow for full TCB coverage.  Measures all files
> + * opened or mmap for exec and everything read by root.  Dangerous because
> + * normal users can easily run the machine out of memory simply building
> + * and running executables.
> + */
>  static struct ima_measure_rule_entry default_rules[] = {
>  	{.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
>  	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
> @@ -59,6 +67,8 @@ static struct ima_measure_rule_entry default_rules[] = {
>  	 .flags = IMA_FUNC | IMA_MASK},
>  	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
>  	 .flags = IMA_FUNC | IMA_MASK},
> +	{.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
> +	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
>  };
> 
>  static LIST_HEAD(measure_default_rules);
> @@ -67,6 +77,14 @@ static struct list_head *ima_measure;
> 
>  static DEFINE_MUTEX(ima_measure_mutex);
> 
> +static bool ima_use_tcb __initdata;
> +static int __init default_policy_setup(char *str)
> +{
> +	ima_use_tcb = 1;
> +	return 1;
> +}
> +__setup("ima_tcb", default_policy_setup);
> +
>  /**
>   * ima_match_rules - determine whether an inode matches the measure rule.
>   * @rule: a pointer to a rule
> @@ -162,9 +180,15 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
>   */
>  void __init ima_init_policy(void)
>  {
> -	int i;
> +	int i, entries;
> +
> +	/* if !ima_use_tcb set entries = 0 so we load NO default rules */
> +	if (ima_use_tcb)
> +		entries = ARRAY_SIZE(default_rules);
> +	else
> +		entries = 0;
> 
> -	for (i = 0; i < ARRAY_SIZE(default_rules); i++)
> +	for (i = 0; i < entries; i++)
>  		list_add_tail(&default_rules[i].list, &measure_default_rules);
>  	ima_measure = &measure_default_rules;
>  }
> 

Re: [PATCH] IMA: Minimal IMA policy and boot param for TCB IMA policy

[James Morris]

On Thu, 21 May 2009, Eric Paris wrote:

> The IMA TCB policy is dangerous.  A normal use can use all of a system's
> memory (which cannot be freed) simply by building and running lots of
> executables.  The TCB policy is also nearly useless because logging in as root
> often causes a policy violation when dealing with utmp, thus rendering the
> measurements meaningless.

Applied to 
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

-- 
James Morris
<jmorris@namei.org>

Re: [PATCH] IMA: Minimal IMA policy and boot param for TCB IMA policy

[Eric Paris]

On Mon, 2009-05-18 at 13:52 -0400, Mimi Zohar wrote:
> On Mon, 2009-05-18 at 12:01 -0400, Eric Paris wrote: 
> > The IMA TCB policy is dangerous.  A normal use can use all of a system's
> > memory (which cannot be freed) simply by building and running lots of
> > executables.  The TCB policy is also nearly useless because logging in as root
> > often causes a policy violation when dealing with utmp, thus rendering the
> > measurements meaningless.
> > 
> > There is no good fix for this in the kernel.  A full TCB policy would need to
> > be loaded in userspace using LSM rule matching to get both a protected and
> > useful system.  But, if too little is measured before userspace can load a real
> > policy one again ends up with a meaningless set of measurements.  One option
> > would be to put the policy load inside the initrd in order to get it early
> > enough in the boot sequence to be useful, but this runs into trouble with the
> > LSM.  For IMA to measure the LSM policy and the LSM policy loading mechanism
> > it needs rules to do so, but we already talked about problems with defaulting
> > to such broad rules....
> 
> Exactly. Although it is possible to load the IMA policy in the initrd,
> the IMA policy would need to be enabled after the LSM policy is loaded
> in order to define LSM specific rules, but the SELinux policy itself
> would not be measured, as it is not defined in the initrd, but on the
> root filesystem. Measuring files really needs to start before the root
> filesystem is mounted.

Yes, quite the chicken/egg....

And I'm really questioning the whole IMA + readahead interaction issues.
I guess it makes readahead easier if we always measure all exec'd and
mmap for exec files, the cache will always be hot if you have enough
memory.

I'm pretty opposed to a default policy in which a non-priv user can
easily OOM a box (if only there were some way to free this memory...)

I'm going to sleep on it again tonight.  I sorta feel like my rule set
could be reasonable for many distro purposes, but at the same time,
those use cases might be willing to accept some period of startup
without continuous measurement (and thus willing to accept the no-rule
default)

In any case, I'm leaning toward the command line ima_tcb option so users
can avoid the nasty chicken/egg initrd/kernel_init/lsm_init/userspace
issues that having incomplete coverage early in the process would result
in if they so choose.

> The other option would be to define a file security/ima/enable, which
> could be enabled in the initrd, and defer calling ima_init_policy() to
> then. With no policy, the measurement list would only contain the boot
> aggregate. Either approach is fine.

I hacking the initrd to mount a securityfs and echo 1 into a magic file
better than a kernel command line option?  I don't think so, but maybe
others on list would disagree.....

Re: [PATCH] IMA: Minimal IMA policy and boot param for TCB IMA policy

[Mimi Zohar]

On Mon, 2009-05-18 at 12:01 -0400, Eric Paris wrote: 
> The IMA TCB policy is dangerous.  A normal use can use all of a system's
> memory (which cannot be freed) simply by building and running lots of
> executables.  The TCB policy is also nearly useless because logging in as root
> often causes a policy violation when dealing with utmp, thus rendering the
> measurements meaningless.
> 
> There is no good fix for this in the kernel.  A full TCB policy would need to
> be loaded in userspace using LSM rule matching to get both a protected and
> useful system.  But, if too little is measured before userspace can load a real
> policy one again ends up with a meaningless set of measurements.  One option
> would be to put the policy load inside the initrd in order to get it early
> enough in the boot sequence to be useful, but this runs into trouble with the
> LSM.  For IMA to measure the LSM policy and the LSM policy loading mechanism
> it needs rules to do so, but we already talked about problems with defaulting
> to such broad rules....

Exactly. Although it is possible to load the IMA policy in the initrd,
the IMA policy would need to be enabled after the LSM policy is loaded
in order to define LSM specific rules, but the SELinux policy itself
would not be measured, as it is not defined in the initrd, but on the
root filesystem. Measuring files really needs to start before the root
filesystem is mounted.

> The solution propsed here is to default IMA to use a very minimal set of
> rules.  That set of rules is to only measure programs exec'ed (or files mmap'd
> for exec) by root.  This should allow for future interesting uses of IMA such
> as verfication of the binaries and libraries in question before asking for
> encrypted disk passwords and such, while not opening the system up to easy DoS
> attacks by normal users.

But for now as the code, in EVM's terminology verify_data/metadata() or
in LIM's terminology appraise_data(), is not yet there, perhaps it would
be better to default to no policy, so that there would be no impact or
rather very minimal impact on the distros?

> To allow for a more thorough set of measurements by IMA before a customized
> policy is loaded by userspace I add the kernel command line option "ima_tcb".
> This option will load the originally propsed IMA policy during kernel init.
> Thus one gets the broad measurement coverage required before userspace can
> load the customized policy if a user is so inclined.
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>

The other option would be to define a file security/ima/enable, which
could be enabled in the initrd, and defer calling ima_init_policy() to
then. With no policy, the measurement list would only contain the boot
aggregate. Either approach is fine.

Mimi Zohar
> ---
> 
>  Documentation/kernel-parameters.txt |    6 ++++
>  security/integrity/ima/ima_policy.c |   47 ++++++++++++++++++++++++++++++++---
>  2 files changed, 49 insertions(+), 4 deletions(-)
> 
> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> index 95c523a..6a90c27 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -914,6 +914,12 @@ and is between 256 and 4096 characters. It is defined in the file
>  			Formt: { "sha1" | "md5" }
>  			default: "sha1"
> 
> +	ima_tcb		[IMA]
> +			Load a policy which meets the needs of the Trusted
> +			Computing Base.  This means IMA will measure all
> +			programs exec'd, files mmap'd for exec, and all files
> +			opened for read by uid=0.
> +
>  	in2000=		[HW,SCSI]
>  			See header of drivers/scsi/in2000.c.
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index fd72d77..de0910a 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -45,10 +45,30 @@ struct ima_measure_rule_entry {
>  	} lsm[MAX_LSM_RULES];
>  };
> 
> -/* Without LSM specific knowledge, the default policy can only be
> +/*
> + * Without LSM specific knowledge, the default policy can only be
>   * written in terms of .action, .func, .mask, .fsmagic, and .uid
>   */
> +
> +/*
> + * Default for a 'normal' kernel with IMA enabled.  This measures only those
> + * files which are exec'd (or mmap for exec) by uid=0.  This attempts to be
> + * a minimal performance impact configuration while still being useful to some
> + * people.
> + */
>  static struct ima_measure_rule_entry default_rules[] = {
> +	{.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,.uid = 0,
> +	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
> +	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,.uid = 0,
> +	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
> +};
> +
> +/*
> + * The minimum rule set to allow for full TCB coverage.  Different than above
> + * because it measures all things exec'd by all users and everything read by
> + * root.
> + */
> +static struct ima_measure_rule_entry tcb_default_rules[] = {
>  	{.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
>  	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
>  	{.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
> @@ -59,6 +79,8 @@ static struct ima_measure_rule_entry default_rules[] = {
>  	 .flags = IMA_FUNC | IMA_MASK},
>  	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
>  	 .flags = IMA_FUNC | IMA_MASK},
> +	{.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
> +	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
>  };
> 
>  static LIST_HEAD(measure_default_rules);
> @@ -67,6 +89,14 @@ static struct list_head *ima_measure;
> 
>  static DEFINE_MUTEX(ima_measure_mutex);
> 
> +static bool ima_use_tcb __initdata;
> +static int __init default_policy_setup(char *str)
> +{
> +	ima_use_tcb = 1;
> +	return 1;
> +}
> +__setup("ima_tcb", default_policy_setup);
> +
>  /**
>   * ima_match_rules - determine whether an inode matches the measure rule.
>   * @rule: a pointer to a rule
> @@ -162,10 +192,19 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
>   */
>  void __init ima_init_policy(void)
>  {
> -	int i;
> +	int i, entries;
> +	struct ima_measure_rule_entry *rules;
> +
> +	if (ima_use_tcb) {
> +		rules = tcb_default_rules;
> +		entries = ARRAY_SIZE(tcb_default_rules);
> +	} else {
> +		rules = default_rules;
> +		entries = ARRAY_SIZE(default_rules);
> +	}
> 
> -	for (i = 0; i < ARRAY_SIZE(default_rules); i++)
> -		list_add_tail(&default_rules[i].list, &measure_default_rules);
> +	for (i = 0; i < entries; i++)
> +		list_add_tail(&rules[i].list, &measure_default_rules);
>  	ima_measure = &measure_default_rules;
>  }
> 
> 

[PATCH] IMA: Minimal IMA policy and boot param for TCB IMA policy

[Eric Paris]

The IMA TCB policy is dangerous.  A normal use can use all of a system's
memory (which cannot be freed) simply by building and running lots of
executables.  The TCB policy is also nearly useless because logging in as root
often causes a policy violation when dealing with utmp, thus rendering the
measurements meaningless.

There is no good fix for this in the kernel.  A full TCB policy would need to
be loaded in userspace using LSM rule matching to get both a protected and
useful system.  But, if too little is measured before userspace can load a real
policy one again ends up with a meaningless set of measurements.  One option
would be to put the policy load inside the initrd in order to get it early
enough in the boot sequence to be useful, but this runs into trouble with the
LSM.  For IMA to measure the LSM policy and the LSM policy loading mechanism
it needs rules to do so, but we already talked about problems with defaulting
to such broad rules....

The solution propsed here is to default IMA to use a very minimal set of
rules.  That set of rules is to only measure programs exec'ed (or files mmap'd
for exec) by root.  This should allow for future interesting uses of IMA such
as verfication of the binaries and libraries in question before asking for
encrypted disk passwords and such, while not opening the system up to easy DoS
attacks by normal users.

To allow for a more thorough set of measurements by IMA before a customized
policy is loaded by userspace I add the kernel command line option "ima_tcb".
This option will load the originally propsed IMA policy during kernel init.
Thus one gets the broad measurement coverage required before userspace can
load the customized policy if a user is so inclined.

Signed-off-by: Eric Paris <eparis@redhat.com>
---

 Documentation/kernel-parameters.txt |    6 ++++
 security/integrity/ima/ima_policy.c |   47 ++++++++++++++++++++++++++++++++---
 2 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 95c523a..6a90c27 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -914,6 +914,12 @@ and is between 256 and 4096 characters. It is defined in the file
 			Formt: { "sha1" | "md5" }
 			default: "sha1"
 
+	ima_tcb		[IMA]
+			Load a policy which meets the needs of the Trusted
+			Computing Base.  This means IMA will measure all
+			programs exec'd, files mmap'd for exec, and all files
+			opened for read by uid=0.
+
 	in2000=		[HW,SCSI]
 			See header of drivers/scsi/in2000.c.
 
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index fd72d77..de0910a 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -45,10 +45,30 @@ struct ima_measure_rule_entry {
 	} lsm[MAX_LSM_RULES];
 };
 
-/* Without LSM specific knowledge, the default policy can only be
+/*
+ * Without LSM specific knowledge, the default policy can only be
  * written in terms of .action, .func, .mask, .fsmagic, and .uid
  */
+
+/*
+ * Default for a 'normal' kernel with IMA enabled.  This measures only those
+ * files which are exec'd (or mmap for exec) by uid=0.  This attempts to be
+ * a minimal performance impact configuration while still being useful to some
+ * people.
+ */
 static struct ima_measure_rule_entry default_rules[] = {
+	{.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,.uid = 0,
+	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
+	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,.uid = 0,
+	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
+};
+
+/*
+ * The minimum rule set to allow for full TCB coverage.  Different than above
+ * because it measures all things exec'd by all users and everything read by
+ * root.
+ */
+static struct ima_measure_rule_entry tcb_default_rules[] = {
 	{.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
@@ -59,6 +79,8 @@ static struct ima_measure_rule_entry default_rules[] = {
 	 .flags = IMA_FUNC | IMA_MASK},
 	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
 	 .flags = IMA_FUNC | IMA_MASK},
+	{.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
+	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 };
 
 static LIST_HEAD(measure_default_rules);
@@ -67,6 +89,14 @@ static struct list_head *ima_measure;
 
 static DEFINE_MUTEX(ima_measure_mutex);
 
+static bool ima_use_tcb __initdata;
+static int __init default_policy_setup(char *str)
+{
+	ima_use_tcb = 1;
+	return 1;
+}
+__setup("ima_tcb", default_policy_setup);
+
 /**
  * ima_match_rules - determine whether an inode matches the measure rule.
  * @rule: a pointer to a rule
@@ -162,10 +192,19 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
  */
 void __init ima_init_policy(void)
 {
-	int i;
+	int i, entries;
+	struct ima_measure_rule_entry *rules;
+
+	if (ima_use_tcb) {
+		rules = tcb_default_rules;
+		entries = ARRAY_SIZE(tcb_default_rules);
+	} else {
+		rules = default_rules;
+		entries = ARRAY_SIZE(default_rules);
+	}
 
-	for (i = 0; i < ARRAY_SIZE(default_rules); i++)
-		list_add_tail(&default_rules[i].list, &measure_default_rules);
+	for (i = 0; i < entries; i++)
+		list_add_tail(&rules[i].list, &measure_default_rules);
 	ima_measure = &measure_default_rules;
 }