projects / mirror_ubuntu-jammy-kernel.git / blame
| Commit | Line | Data |
|---|---|---|
| 4af4662f MZ |
1 | What: security/ima/policy |
| 2 | Date: May 2008 | |
| 3 | Contact: Mimi Zohar <zohar@us.ibm.com> | |
| 4 | Description: | |
| 5 | The Trusted Computing Group(TCG) runtime Integrity | |
| 6 | Measurement Architecture(IMA) maintains a list of hash | |
| 7 | values of executables and other sensitive system files | |
| 8 | loaded into the run-time of this system. At runtime, | |
| 9 | the policy can be constrained based on LSM specific data. | |
| 10 | Policies are loaded into the securityfs file ima/policy | |
| 11 | by opening the file, writing the rules one at a time and | |
| 12 | then closing the file. The new policy takes effect after | |
| 13 | the file ima/policy is closed. | |
| 14 | ||
| 07f6a794 MZ |
15 | IMA appraisal, if configured, uses these file measurements |
| 16 | for local measurement appraisal. | |
| 17 | ||
| 34433332 | 18 | :: |
| 4af4662f | 19 | |
| 34433332 MCC |
20 | rule format: action [condition ...] |
| 21 | ||
| 22 | action: measure | dont_measure | appraise | dont_appraise | | |
| 23 | audit | hash | dont_hash | |
| 24 | condition:= base | lsm [option] | |
| 85865c1f | 25 | base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] |
| f1b08bbc | 26 | [euid=] [fowner=] [fsname=]] |
| 4af4662f MZ |
27 | lsm: [[subj_user=] [subj_role=] [subj_type=] |
| 28 | [obj_user=] [obj_role=] [obj_type=]] | |
| 19453ce0 | 29 | option: [[appraise_type=]] [template=] [permit_directio] |
| 583a80ae | 30 | [appraise_flag=] [appraise_algos=] [keyrings=] |
| 34433332 | 31 | base: |
| c418eed8 | 32 | func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] |
| 4f2946aa | 33 | [FIRMWARE_CHECK] |
| d9ddf077 | 34 | [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] |
| c4e43aa2 | 35 | [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA] |
| 4f2946aa | 36 | [SETXATTR_CHECK] |
| 4351c294 MZ |
37 | mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] |
| 38 | [[^]MAY_EXEC] | |
| 4af4662f | 39 | fsmagic:= hex value |
| 85865c1f | 40 | fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) |
| 4af4662f | 41 | uid:= decimal value |
| 139069ef | 42 | euid:= decimal value |
| fc26bd50 | 43 | fowner:= decimal value |
| 34433332 MCC |
44 | lsm: are LSM specific |
| 45 | option: | |
| 46 | appraise_type:= [imasig] [imasig|modsig] | |
| 273df864 NJ |
47 | appraise_flag:= [check_blacklist] |
| 48 | Currently, blacklist check is only for files signed with appended | |
| 49 | signature. | |
| e9085e0a LR |
50 | keyrings:= list of keyrings |
| 51 | (eg, .builtin_trusted_keys|.ima). Only valid | |
| 52 | when action is "measure" and func is KEY_CHECK. | |
| 19453ce0 MG |
53 | template:= name of a defined IMA template type |
| 54 | (eg, ima-ng). Only valid when action is "measure". | |
| fc26bd50 | 55 | pcr:= decimal value |
| b3f82afc | 56 | label:= [selinux]|[kernel_info]|[data_label] |
| 47d76a48 | 57 | data_label:= a unique string used for grouping and limiting critical data. |
| fdd1ffe8 | 58 | For example, "selinux" to measure critical data for SELinux. |
| 583a80ae TS |
59 | appraise_algos:= comma-separated list of hash algorithms |
| 60 | For example, "sha256,sha512" to only accept to appraise | |
| 61 | files where the security.ima xattr was hashed with one | |
| 62 | of these two algorithms. | |
| 4af4662f | 63 | |
| 34433332 | 64 | default policy: |
| 4af4662f MZ |
65 | # PROC_SUPER_MAGIC |
| 66 | dont_measure fsmagic=0x9fa0 | |
| 07f6a794 | 67 | dont_appraise fsmagic=0x9fa0 |
| 4af4662f MZ |
68 | # SYSFS_MAGIC |
| 69 | dont_measure fsmagic=0x62656572 | |
| 07f6a794 | 70 | dont_appraise fsmagic=0x62656572 |
| 4af4662f MZ |
71 | # DEBUGFS_MAGIC |
| 72 | dont_measure fsmagic=0x64626720 | |
| 07f6a794 | 73 | dont_appraise fsmagic=0x64626720 |
| 4af4662f MZ |
74 | # TMPFS_MAGIC |
| 75 | dont_measure fsmagic=0x01021994 | |
| 07f6a794 MZ |
76 | dont_appraise fsmagic=0x01021994 |
| 77 | # RAMFS_MAGIC | |
| 07f6a794 | 78 | dont_appraise fsmagic=0x858458f6 |
| 6438de9f RS |
79 | # DEVPTS_SUPER_MAGIC |
| 80 | dont_measure fsmagic=0x1cd1 | |
| 81 | dont_appraise fsmagic=0x1cd1 | |
| 82 | # BINFMTFS_MAGIC | |
| 83 | dont_measure fsmagic=0x42494e4d | |
| 84 | dont_appraise fsmagic=0x42494e4d | |
| 4af4662f MZ |
85 | # SECURITYFS_MAGIC |
| 86 | dont_measure fsmagic=0x73636673 | |
| 07f6a794 | 87 | dont_appraise fsmagic=0x73636673 |
| 6438de9f RS |
88 | # SELINUX_MAGIC |
| 89 | dont_measure fsmagic=0xf97cff8c | |
| 90 | dont_appraise fsmagic=0xf97cff8c | |
| 91 | # CGROUP_SUPER_MAGIC | |
| 92 | dont_measure fsmagic=0x27e0eb | |
| 93 | dont_appraise fsmagic=0x27e0eb | |
| cd025f7f MZ |
94 | # NSFS_MAGIC |
| 95 | dont_measure fsmagic=0x6e736673 | |
| 96 | dont_appraise fsmagic=0x6e736673 | |
| 4af4662f MZ |
97 | |
| 98 | measure func=BPRM_CHECK | |
| 99 | measure func=FILE_MMAP mask=MAY_EXEC | |
| 1e93d005 | 100 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
| 5a9196d7 MZ |
101 | measure func=MODULE_CHECK |
| 102 | measure func=FIRMWARE_CHECK | |
| 07f6a794 | 103 | appraise fowner=0 |
| 4af4662f MZ |
104 | |
| 105 | The default policy measures all executables in bprm_check, | |
| 106 | all files mmapped executable in file_mmap, and all files | |
| 07f6a794 MZ |
107 | open for read by root in do_filp_open. The default appraisal |
| 108 | policy appraises all files owned by root. | |
| 4af4662f MZ |
109 | |
| 110 | Examples of LSM specific definitions: | |
| 111 | ||
| 34433332 MCC |
112 | SELinux:: |
| 113 | ||
| 4af4662f | 114 | dont_measure obj_type=var_log_t |
| 07f6a794 | 115 | dont_appraise obj_type=var_log_t |
| 4af4662f | 116 | dont_measure obj_type=auditd_log_t |
| 07f6a794 | 117 | dont_appraise obj_type=auditd_log_t |
| 1e93d005 MZ |
118 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ |
| 119 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ | |
| 4af4662f | 120 | |
| 34433332 MCC |
121 | Smack:: |
| 122 | ||
| 1e93d005 | 123 | measure subj_user=_ func=FILE_CHECK mask=MAY_READ |
| fc26bd50 | 124 | |
| 34433332 | 125 | Example of measure rules using alternate PCRs:: |
| fc26bd50 ER |
126 | |
| 127 | measure func=KEXEC_KERNEL_CHECK pcr=4 | |
| 128 | measure func=KEXEC_INITRAMFS_CHECK pcr=5 | |
| 9044d627 TJB |
129 | |
| 130 | Example of appraise rule allowing modsig appended signatures: | |
| 131 | ||
| 132 | appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig | |
| 5808611c LR |
133 | |
| 134 | Example of measure rule using KEY_CHECK to measure all keys: | |
| 135 | ||
| 136 | measure func=KEY_CHECK | |
| e9085e0a LR |
137 | |
| 138 | Example of measure rule using KEY_CHECK to only measure | |
| 139 | keys added to .builtin_trusted_keys or .ima keyring: | |
| 140 | ||
| 141 | measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima | |
| 4f2946aa TS |
142 | |
| 143 | Example of the special SETXATTR_CHECK appraise rule, that | |
| 144 | restricts the hash algorithms allowed when writing to the | |
| 145 | security.ima xattr of a file: | |
| 146 | ||
| 147 | appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512 |