1What: security/ima/policy 2Date: May 2008 3Contact: Mimi Zohar <zohar@us.ibm.com> 4Description: 5 The Trusted Computing Group(TCG) runtime Integrity 6 Measurement Architecture(IMA) maintains a list of hash 7 values of executables and other sensitive system files 8 loaded into the run-time of this system. At runtime, 9 the policy can be constrained based on LSM specific data. 10 Policies are loaded into the securityfs file ima/policy 11 by opening the file, writing the rules one at a time and 12 then closing the file. The new policy takes effect after 13 the file ima/policy is closed. 14 15 IMA appraisal, if configured, uses these file measurements 16 for local measurement appraisal. 17 18 rule format: action [condition ...] 19 20 action: measure | dont_measure | appraise | dont_appraise | 21 audit | hash | dont_hash 22 condition:= base | lsm [option] 23 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] 24 [euid=] [fowner=]] 25 lsm: [[subj_user=] [subj_role=] [subj_type=] 26 [obj_user=] [obj_role=] [obj_type=]] 27 option: [[appraise_type=]] [permit_directio] 28 29 base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] 30 [FIRMWARE_CHECK] 31 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] 32 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] 33 [[^]MAY_EXEC] 34 fsmagic:= hex value 35 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) 36 uid:= decimal value 37 euid:= decimal value 38 fowner:= decimal value 39 lsm: are LSM specific 40 option: appraise_type:= [imasig] 41 pcr:= decimal value 42 43 default policy: 44 # PROC_SUPER_MAGIC 45 dont_measure fsmagic=0x9fa0 46 dont_appraise fsmagic=0x9fa0 47 # SYSFS_MAGIC 48 dont_measure fsmagic=0x62656572 49 dont_appraise fsmagic=0x62656572 50 # DEBUGFS_MAGIC 51 dont_measure fsmagic=0x64626720 52 dont_appraise fsmagic=0x64626720 53 # TMPFS_MAGIC 54 dont_measure fsmagic=0x01021994 55 dont_appraise fsmagic=0x01021994 56 # RAMFS_MAGIC 57 dont_appraise fsmagic=0x858458f6 58 # DEVPTS_SUPER_MAGIC 59 dont_measure fsmagic=0x1cd1 60 dont_appraise fsmagic=0x1cd1 61 # BINFMTFS_MAGIC 62 dont_measure fsmagic=0x42494e4d 63 dont_appraise fsmagic=0x42494e4d 64 # SECURITYFS_MAGIC 65 dont_measure fsmagic=0x73636673 66 dont_appraise fsmagic=0x73636673 67 # SELINUX_MAGIC 68 dont_measure fsmagic=0xf97cff8c 69 dont_appraise fsmagic=0xf97cff8c 70 # CGROUP_SUPER_MAGIC 71 dont_measure fsmagic=0x27e0eb 72 dont_appraise fsmagic=0x27e0eb 73 # NSFS_MAGIC 74 dont_measure fsmagic=0x6e736673 75 dont_appraise fsmagic=0x6e736673 76 77 measure func=BPRM_CHECK 78 measure func=FILE_MMAP mask=MAY_EXEC 79 measure func=FILE_CHECK mask=MAY_READ uid=0 80 measure func=MODULE_CHECK 81 measure func=FIRMWARE_CHECK 82 appraise fowner=0 83 84 The default policy measures all executables in bprm_check, 85 all files mmapped executable in file_mmap, and all files 86 open for read by root in do_filp_open. The default appraisal 87 policy appraises all files owned by root. 88 89 Examples of LSM specific definitions: 90 91 SELinux: 92 dont_measure obj_type=var_log_t 93 dont_appraise obj_type=var_log_t 94 dont_measure obj_type=auditd_log_t 95 dont_appraise obj_type=auditd_log_t 96 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ 97 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ 98 99 Smack: 100 measure subj_user=_ func=FILE_CHECK mask=MAY_READ 101 102 Example of measure rules using alternate PCRs: 103 104 measure func=KEXEC_KERNEL_CHECK pcr=4 105 measure func=KEXEC_INITRAMFS_CHECK pcr=5 106