]>
Commit | Line | Data |
---|---|---|
4af4662f MZ |
1 | What: security/ima/policy |
2 | Date: May 2008 | |
3 | Contact: Mimi Zohar <zohar@us.ibm.com> | |
4 | Description: | |
5 | The Trusted Computing Group(TCG) runtime Integrity | |
6 | Measurement Architecture(IMA) maintains a list of hash | |
7 | values of executables and other sensitive system files | |
8 | loaded into the run-time of this system. At runtime, | |
9 | the policy can be constrained based on LSM specific data. | |
10 | Policies are loaded into the securityfs file ima/policy | |
11 | by opening the file, writing the rules one at a time and | |
12 | then closing the file. The new policy takes effect after | |
13 | the file ima/policy is closed. | |
14 | ||
07f6a794 MZ |
15 | IMA appraisal, if configured, uses these file measurements |
16 | for local measurement appraisal. | |
17 | ||
34433332 | 18 | :: |
4af4662f | 19 | |
34433332 MCC |
20 | rule format: action [condition ...] |
21 | ||
22 | action: measure | dont_measure | appraise | dont_appraise | | |
23 | audit | hash | dont_hash | |
24 | condition:= base | lsm [option] | |
85865c1f | 25 | base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] |
f1b08bbc | 26 | [euid=] [fowner=] [fsname=]] |
4af4662f MZ |
27 | lsm: [[subj_user=] [subj_role=] [subj_type=] |
28 | [obj_user=] [obj_role=] [obj_type=]] | |
19453ce0 | 29 | option: [[appraise_type=]] [template=] [permit_directio] |
583a80ae | 30 | [appraise_flag=] [appraise_algos=] [keyrings=] |
34433332 | 31 | base: |
c418eed8 | 32 | func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] |
4f2946aa | 33 | [FIRMWARE_CHECK] |
d9ddf077 | 34 | [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] |
c4e43aa2 | 35 | [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA] |
4f2946aa | 36 | [SETXATTR_CHECK] |
4351c294 MZ |
37 | mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] |
38 | [[^]MAY_EXEC] | |
4af4662f | 39 | fsmagic:= hex value |
85865c1f | 40 | fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) |
4af4662f | 41 | uid:= decimal value |
139069ef | 42 | euid:= decimal value |
fc26bd50 | 43 | fowner:= decimal value |
34433332 MCC |
44 | lsm: are LSM specific |
45 | option: | |
46 | appraise_type:= [imasig] [imasig|modsig] | |
273df864 NJ |
47 | appraise_flag:= [check_blacklist] |
48 | Currently, blacklist check is only for files signed with appended | |
49 | signature. | |
e9085e0a LR |
50 | keyrings:= list of keyrings |
51 | (eg, .builtin_trusted_keys|.ima). Only valid | |
52 | when action is "measure" and func is KEY_CHECK. | |
19453ce0 MG |
53 | template:= name of a defined IMA template type |
54 | (eg, ima-ng). Only valid when action is "measure". | |
fc26bd50 | 55 | pcr:= decimal value |
b3f82afc | 56 | label:= [selinux]|[kernel_info]|[data_label] |
47d76a48 | 57 | data_label:= a unique string used for grouping and limiting critical data. |
fdd1ffe8 | 58 | For example, "selinux" to measure critical data for SELinux. |
583a80ae TS |
59 | appraise_algos:= comma-separated list of hash algorithms |
60 | For example, "sha256,sha512" to only accept to appraise | |
61 | files where the security.ima xattr was hashed with one | |
62 | of these two algorithms. | |
4af4662f | 63 | |
34433332 | 64 | default policy: |
4af4662f MZ |
65 | # PROC_SUPER_MAGIC |
66 | dont_measure fsmagic=0x9fa0 | |
07f6a794 | 67 | dont_appraise fsmagic=0x9fa0 |
4af4662f MZ |
68 | # SYSFS_MAGIC |
69 | dont_measure fsmagic=0x62656572 | |
07f6a794 | 70 | dont_appraise fsmagic=0x62656572 |
4af4662f MZ |
71 | # DEBUGFS_MAGIC |
72 | dont_measure fsmagic=0x64626720 | |
07f6a794 | 73 | dont_appraise fsmagic=0x64626720 |
4af4662f MZ |
74 | # TMPFS_MAGIC |
75 | dont_measure fsmagic=0x01021994 | |
07f6a794 MZ |
76 | dont_appraise fsmagic=0x01021994 |
77 | # RAMFS_MAGIC | |
07f6a794 | 78 | dont_appraise fsmagic=0x858458f6 |
6438de9f RS |
79 | # DEVPTS_SUPER_MAGIC |
80 | dont_measure fsmagic=0x1cd1 | |
81 | dont_appraise fsmagic=0x1cd1 | |
82 | # BINFMTFS_MAGIC | |
83 | dont_measure fsmagic=0x42494e4d | |
84 | dont_appraise fsmagic=0x42494e4d | |
4af4662f MZ |
85 | # SECURITYFS_MAGIC |
86 | dont_measure fsmagic=0x73636673 | |
07f6a794 | 87 | dont_appraise fsmagic=0x73636673 |
6438de9f RS |
88 | # SELINUX_MAGIC |
89 | dont_measure fsmagic=0xf97cff8c | |
90 | dont_appraise fsmagic=0xf97cff8c | |
91 | # CGROUP_SUPER_MAGIC | |
92 | dont_measure fsmagic=0x27e0eb | |
93 | dont_appraise fsmagic=0x27e0eb | |
cd025f7f MZ |
94 | # NSFS_MAGIC |
95 | dont_measure fsmagic=0x6e736673 | |
96 | dont_appraise fsmagic=0x6e736673 | |
4af4662f MZ |
97 | |
98 | measure func=BPRM_CHECK | |
99 | measure func=FILE_MMAP mask=MAY_EXEC | |
1e93d005 | 100 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
5a9196d7 MZ |
101 | measure func=MODULE_CHECK |
102 | measure func=FIRMWARE_CHECK | |
07f6a794 | 103 | appraise fowner=0 |
4af4662f MZ |
104 | |
105 | The default policy measures all executables in bprm_check, | |
106 | all files mmapped executable in file_mmap, and all files | |
07f6a794 MZ |
107 | open for read by root in do_filp_open. The default appraisal |
108 | policy appraises all files owned by root. | |
4af4662f MZ |
109 | |
110 | Examples of LSM specific definitions: | |
111 | ||
34433332 MCC |
112 | SELinux:: |
113 | ||
4af4662f | 114 | dont_measure obj_type=var_log_t |
07f6a794 | 115 | dont_appraise obj_type=var_log_t |
4af4662f | 116 | dont_measure obj_type=auditd_log_t |
07f6a794 | 117 | dont_appraise obj_type=auditd_log_t |
1e93d005 MZ |
118 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ |
119 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ | |
4af4662f | 120 | |
34433332 MCC |
121 | Smack:: |
122 | ||
1e93d005 | 123 | measure subj_user=_ func=FILE_CHECK mask=MAY_READ |
fc26bd50 | 124 | |
34433332 | 125 | Example of measure rules using alternate PCRs:: |
fc26bd50 ER |
126 | |
127 | measure func=KEXEC_KERNEL_CHECK pcr=4 | |
128 | measure func=KEXEC_INITRAMFS_CHECK pcr=5 | |
9044d627 TJB |
129 | |
130 | Example of appraise rule allowing modsig appended signatures: | |
131 | ||
132 | appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig | |
5808611c LR |
133 | |
134 | Example of measure rule using KEY_CHECK to measure all keys: | |
135 | ||
136 | measure func=KEY_CHECK | |
e9085e0a LR |
137 | |
138 | Example of measure rule using KEY_CHECK to only measure | |
139 | keys added to .builtin_trusted_keys or .ima keyring: | |
140 | ||
141 | measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima | |
4f2946aa TS |
142 | |
143 | Example of the special SETXATTR_CHECK appraise rule, that | |
144 | restricts the hash algorithms allowed when writing to the | |
145 | security.ima xattr of a file: | |
146 | ||
147 | appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512 |