1What: security/ima/policy 2Date: May 2008 3Contact: Mimi Zohar <zohar@us.ibm.com> 4Description: 5 The Trusted Computing Group(TCG) runtime Integrity 6 Measurement Architecture(IMA) maintains a list of hash 7 values of executables and other sensitive system files 8 loaded into the run-time of this system. At runtime, 9 the policy can be constrained based on LSM specific data. 10 Policies are loaded into the securityfs file ima/policy 11 by opening the file, writing the rules one at a time and 12 then closing the file. The new policy takes effect after 13 the file ima/policy is closed. 14 15 rule format: action [condition ...] 16 17 action: measure | dont_measure 18 condition:= base | lsm 19 base: [[func=] [mask=] [fsmagic=] [uid=]] 20 lsm: [[subj_user=] [subj_role=] [subj_type=] 21 [obj_user=] [obj_role=] [obj_type=]] 22 23 base: func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION] 24 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] 25 fsmagic:= hex value 26 uid:= decimal value 27 lsm: are LSM specific 28 29 default policy: 30 # PROC_SUPER_MAGIC 31 dont_measure fsmagic=0x9fa0 32 # SYSFS_MAGIC 33 dont_measure fsmagic=0x62656572 34 # DEBUGFS_MAGIC 35 dont_measure fsmagic=0x64626720 36 # TMPFS_MAGIC 37 dont_measure fsmagic=0x01021994 38 # SECURITYFS_MAGIC 39 dont_measure fsmagic=0x73636673 40 41 measure func=BPRM_CHECK 42 measure func=FILE_MMAP mask=MAY_EXEC 43 measure func=INODE_PERM mask=MAY_READ uid=0 44 45 The default policy measures all executables in bprm_check, 46 all files mmapped executable in file_mmap, and all files 47 open for read by root in inode_permission. 48 49 Examples of LSM specific definitions: 50 51 SELinux: 52 # SELINUX_MAGIC 53 dont_measure fsmagic=0xF97CFF8C 54 55 dont_measure obj_type=var_log_t 56 dont_measure obj_type=auditd_log_t 57 measure subj_user=system_u func=INODE_PERM mask=MAY_READ 58 measure subj_role=system_r func=INODE_PERM mask=MAY_READ 59 60 Smack: 61 measure subj_user=_ func=INODE_PERM mask=MAY_READ 62