]>
Commit | Line | Data |
---|---|---|
4af4662f MZ |
1 | What: security/ima/policy |
2 | Date: May 2008 | |
3 | Contact: Mimi Zohar <zohar@us.ibm.com> | |
4 | Description: | |
5 | The Trusted Computing Group(TCG) runtime Integrity | |
6 | Measurement Architecture(IMA) maintains a list of hash | |
7 | values of executables and other sensitive system files | |
8 | loaded into the run-time of this system. At runtime, | |
9 | the policy can be constrained based on LSM specific data. | |
10 | Policies are loaded into the securityfs file ima/policy | |
11 | by opening the file, writing the rules one at a time and | |
12 | then closing the file. The new policy takes effect after | |
13 | the file ima/policy is closed. | |
14 | ||
07f6a794 MZ |
15 | IMA appraisal, if configured, uses these file measurements |
16 | for local measurement appraisal. | |
17 | ||
34433332 | 18 | :: |
4af4662f | 19 | |
34433332 MCC |
20 | rule format: action [condition ...] |
21 | ||
22 | action: measure | dont_measure | appraise | dont_appraise | | |
23 | audit | hash | dont_hash | |
24 | condition:= base | lsm [option] | |
85865c1f | 25 | base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] |
f1b08bbc | 26 | [euid=] [fowner=] [fsname=]] |
4af4662f MZ |
27 | lsm: [[subj_user=] [subj_role=] [subj_type=] |
28 | [obj_user=] [obj_role=] [obj_type=]] | |
19453ce0 | 29 | option: [[appraise_type=]] [template=] [permit_directio] |
e9085e0a | 30 | [appraise_flag=] [keyrings=] |
34433332 | 31 | base: |
c418eed8 | 32 | func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] |
34433332 | 33 | [FIRMWARE_CHECK] |
d9ddf077 | 34 | [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] |
5808611c | 35 | [KEXEC_CMDLINE] [KEY_CHECK] |
4351c294 MZ |
36 | mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] |
37 | [[^]MAY_EXEC] | |
4af4662f | 38 | fsmagic:= hex value |
85865c1f | 39 | fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) |
4af4662f | 40 | uid:= decimal value |
139069ef | 41 | euid:= decimal value |
fc26bd50 | 42 | fowner:= decimal value |
34433332 MCC |
43 | lsm: are LSM specific |
44 | option: | |
45 | appraise_type:= [imasig] [imasig|modsig] | |
273df864 NJ |
46 | appraise_flag:= [check_blacklist] |
47 | Currently, blacklist check is only for files signed with appended | |
48 | signature. | |
e9085e0a LR |
49 | keyrings:= list of keyrings |
50 | (eg, .builtin_trusted_keys|.ima). Only valid | |
51 | when action is "measure" and func is KEY_CHECK. | |
19453ce0 MG |
52 | template:= name of a defined IMA template type |
53 | (eg, ima-ng). Only valid when action is "measure". | |
fc26bd50 | 54 | pcr:= decimal value |
4af4662f | 55 | |
34433332 | 56 | default policy: |
4af4662f MZ |
57 | # PROC_SUPER_MAGIC |
58 | dont_measure fsmagic=0x9fa0 | |
07f6a794 | 59 | dont_appraise fsmagic=0x9fa0 |
4af4662f MZ |
60 | # SYSFS_MAGIC |
61 | dont_measure fsmagic=0x62656572 | |
07f6a794 | 62 | dont_appraise fsmagic=0x62656572 |
4af4662f MZ |
63 | # DEBUGFS_MAGIC |
64 | dont_measure fsmagic=0x64626720 | |
07f6a794 | 65 | dont_appraise fsmagic=0x64626720 |
4af4662f MZ |
66 | # TMPFS_MAGIC |
67 | dont_measure fsmagic=0x01021994 | |
07f6a794 MZ |
68 | dont_appraise fsmagic=0x01021994 |
69 | # RAMFS_MAGIC | |
07f6a794 | 70 | dont_appraise fsmagic=0x858458f6 |
6438de9f RS |
71 | # DEVPTS_SUPER_MAGIC |
72 | dont_measure fsmagic=0x1cd1 | |
73 | dont_appraise fsmagic=0x1cd1 | |
74 | # BINFMTFS_MAGIC | |
75 | dont_measure fsmagic=0x42494e4d | |
76 | dont_appraise fsmagic=0x42494e4d | |
4af4662f MZ |
77 | # SECURITYFS_MAGIC |
78 | dont_measure fsmagic=0x73636673 | |
07f6a794 | 79 | dont_appraise fsmagic=0x73636673 |
6438de9f RS |
80 | # SELINUX_MAGIC |
81 | dont_measure fsmagic=0xf97cff8c | |
82 | dont_appraise fsmagic=0xf97cff8c | |
83 | # CGROUP_SUPER_MAGIC | |
84 | dont_measure fsmagic=0x27e0eb | |
85 | dont_appraise fsmagic=0x27e0eb | |
cd025f7f MZ |
86 | # NSFS_MAGIC |
87 | dont_measure fsmagic=0x6e736673 | |
88 | dont_appraise fsmagic=0x6e736673 | |
4af4662f MZ |
89 | |
90 | measure func=BPRM_CHECK | |
91 | measure func=FILE_MMAP mask=MAY_EXEC | |
1e93d005 | 92 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
5a9196d7 MZ |
93 | measure func=MODULE_CHECK |
94 | measure func=FIRMWARE_CHECK | |
07f6a794 | 95 | appraise fowner=0 |
4af4662f MZ |
96 | |
97 | The default policy measures all executables in bprm_check, | |
98 | all files mmapped executable in file_mmap, and all files | |
07f6a794 MZ |
99 | open for read by root in do_filp_open. The default appraisal |
100 | policy appraises all files owned by root. | |
4af4662f MZ |
101 | |
102 | Examples of LSM specific definitions: | |
103 | ||
34433332 MCC |
104 | SELinux:: |
105 | ||
4af4662f | 106 | dont_measure obj_type=var_log_t |
07f6a794 | 107 | dont_appraise obj_type=var_log_t |
4af4662f | 108 | dont_measure obj_type=auditd_log_t |
07f6a794 | 109 | dont_appraise obj_type=auditd_log_t |
1e93d005 MZ |
110 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ |
111 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ | |
4af4662f | 112 | |
34433332 MCC |
113 | Smack:: |
114 | ||
1e93d005 | 115 | measure subj_user=_ func=FILE_CHECK mask=MAY_READ |
fc26bd50 | 116 | |
34433332 | 117 | Example of measure rules using alternate PCRs:: |
fc26bd50 ER |
118 | |
119 | measure func=KEXEC_KERNEL_CHECK pcr=4 | |
120 | measure func=KEXEC_INITRAMFS_CHECK pcr=5 | |
9044d627 TJB |
121 | |
122 | Example of appraise rule allowing modsig appended signatures: | |
123 | ||
124 | appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig | |
5808611c LR |
125 | |
126 | Example of measure rule using KEY_CHECK to measure all keys: | |
127 | ||
128 | measure func=KEY_CHECK | |
e9085e0a LR |
129 | |
130 | Example of measure rule using KEY_CHECK to only measure | |
131 | keys added to .builtin_trusted_keys or .ima keyring: | |
132 | ||
133 | measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima |