1What: security/ima/policy 2Date: May 2008 3Contact: Mimi Zohar <zohar@us.ibm.com> 4Description: 5 The Trusted Computing Group(TCG) runtime Integrity 6 Measurement Architecture(IMA) maintains a list of hash 7 values of executables and other sensitive system files 8 loaded into the run-time of this system. At runtime, 9 the policy can be constrained based on LSM specific data. 10 Policies are loaded into the securityfs file ima/policy 11 by opening the file, writing the rules one at a time and 12 then closing the file. The new policy takes effect after 13 the file ima/policy is closed. 14 15 IMA appraisal, if configured, uses these file measurements 16 for local measurement appraisal. 17 18 rule format: action [condition ...] 19 20 action: measure | dont_measure | appraise | dont_appraise | 21 audit | hash | dont_hash 22 condition:= base | lsm [option] 23 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] 24 [euid=] [fowner=] [fsname=]] 25 lsm: [[subj_user=] [subj_role=] [subj_type=] 26 [obj_user=] [obj_role=] [obj_type=]] 27 option: [[appraise_type=]] [template=] [permit_directio] 28 base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] 29 [FIRMWARE_CHECK] 30 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] 31 [KEXEC_CMDLINE] 32 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] 33 [[^]MAY_EXEC] 34 fsmagic:= hex value 35 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) 36 uid:= decimal value 37 euid:= decimal value 38 fowner:= decimal value 39 lsm: are LSM specific 40 option: appraise_type:= [imasig] [imasig|modsig] 41 template:= name of a defined IMA template type 42 (eg, ima-ng). Only valid when action is "measure". 43 pcr:= decimal value 44 45 default policy: 46 # PROC_SUPER_MAGIC 47 dont_measure fsmagic=0x9fa0 48 dont_appraise fsmagic=0x9fa0 49 # SYSFS_MAGIC 50 dont_measure fsmagic=0x62656572 51 dont_appraise fsmagic=0x62656572 52 # DEBUGFS_MAGIC 53 dont_measure fsmagic=0x64626720 54 dont_appraise fsmagic=0x64626720 55 # TMPFS_MAGIC 56 dont_measure fsmagic=0x01021994 57 dont_appraise fsmagic=0x01021994 58 # RAMFS_MAGIC 59 dont_appraise fsmagic=0x858458f6 60 # DEVPTS_SUPER_MAGIC 61 dont_measure fsmagic=0x1cd1 62 dont_appraise fsmagic=0x1cd1 63 # BINFMTFS_MAGIC 64 dont_measure fsmagic=0x42494e4d 65 dont_appraise fsmagic=0x42494e4d 66 # SECURITYFS_MAGIC 67 dont_measure fsmagic=0x73636673 68 dont_appraise fsmagic=0x73636673 69 # SELINUX_MAGIC 70 dont_measure fsmagic=0xf97cff8c 71 dont_appraise fsmagic=0xf97cff8c 72 # CGROUP_SUPER_MAGIC 73 dont_measure fsmagic=0x27e0eb 74 dont_appraise fsmagic=0x27e0eb 75 # NSFS_MAGIC 76 dont_measure fsmagic=0x6e736673 77 dont_appraise fsmagic=0x6e736673 78 79 measure func=BPRM_CHECK 80 measure func=FILE_MMAP mask=MAY_EXEC 81 measure func=FILE_CHECK mask=MAY_READ uid=0 82 measure func=MODULE_CHECK 83 measure func=FIRMWARE_CHECK 84 appraise fowner=0 85 86 The default policy measures all executables in bprm_check, 87 all files mmapped executable in file_mmap, and all files 88 open for read by root in do_filp_open. The default appraisal 89 policy appraises all files owned by root. 90 91 Examples of LSM specific definitions: 92 93 SELinux: 94 dont_measure obj_type=var_log_t 95 dont_appraise obj_type=var_log_t 96 dont_measure obj_type=auditd_log_t 97 dont_appraise obj_type=auditd_log_t 98 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ 99 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ 100 101 Smack: 102 measure subj_user=_ func=FILE_CHECK mask=MAY_READ 103 104 Example of measure rules using alternate PCRs: 105 106 measure func=KEXEC_KERNEL_CHECK pcr=4 107 measure func=KEXEC_INITRAMFS_CHECK pcr=5 108 109 Example of appraise rule allowing modsig appended signatures: 110 111 appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig 112