1What: security/ima/policy 2Date: May 2008 3Contact: Mimi Zohar <zohar@us.ibm.com> 4Description: 5 The Trusted Computing Group(TCG) runtime Integrity 6 Measurement Architecture(IMA) maintains a list of hash 7 values of executables and other sensitive system files 8 loaded into the run-time of this system. At runtime, 9 the policy can be constrained based on LSM specific data. 10 Policies are loaded into the securityfs file ima/policy 11 by opening the file, writing the rules one at a time and 12 then closing the file. The new policy takes effect after 13 the file ima/policy is closed. 14 15 IMA appraisal, if configured, uses these file measurements 16 for local measurement appraisal. 17 18 :: 19 20 rule format: action [condition ...] 21 22 action: measure | dont_measure | appraise | dont_appraise | 23 audit | hash | dont_hash 24 condition:= base | lsm [option] 25 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] 26 [euid=] [fowner=] [fsname=]] 27 lsm: [[subj_user=] [subj_role=] [subj_type=] 28 [obj_user=] [obj_role=] [obj_type=]] 29 option: [[appraise_type=]] [template=] [permit_directio] 30 [appraise_flag=] [keyrings=] 31 base: 32 func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK]MODULE_CHECK] 33 [FIRMWARE_CHECK] 34 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] 35 [KEXEC_CMDLINE] [KEY_CHECK] 36 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] 37 [[^]MAY_EXEC] 38 fsmagic:= hex value 39 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) 40 uid:= decimal value 41 euid:= decimal value 42 fowner:= decimal value 43 lsm: are LSM specific 44 option: 45 appraise_type:= [imasig] [imasig|modsig] 46 appraise_flag:= [check_blacklist] 47 Currently, blacklist check is only for files signed with appended 48 signature. 49 keyrings:= list of keyrings 50 (eg, .builtin_trusted_keys|.ima). Only valid 51 when action is "measure" and func is KEY_CHECK. 52 template:= name of a defined IMA template type 53 (eg, ima-ng). Only valid when action is "measure". 54 pcr:= decimal value 55 56 default policy: 57 # PROC_SUPER_MAGIC 58 dont_measure fsmagic=0x9fa0 59 dont_appraise fsmagic=0x9fa0 60 # SYSFS_MAGIC 61 dont_measure fsmagic=0x62656572 62 dont_appraise fsmagic=0x62656572 63 # DEBUGFS_MAGIC 64 dont_measure fsmagic=0x64626720 65 dont_appraise fsmagic=0x64626720 66 # TMPFS_MAGIC 67 dont_measure fsmagic=0x01021994 68 dont_appraise fsmagic=0x01021994 69 # RAMFS_MAGIC 70 dont_appraise fsmagic=0x858458f6 71 # DEVPTS_SUPER_MAGIC 72 dont_measure fsmagic=0x1cd1 73 dont_appraise fsmagic=0x1cd1 74 # BINFMTFS_MAGIC 75 dont_measure fsmagic=0x42494e4d 76 dont_appraise fsmagic=0x42494e4d 77 # SECURITYFS_MAGIC 78 dont_measure fsmagic=0x73636673 79 dont_appraise fsmagic=0x73636673 80 # SELINUX_MAGIC 81 dont_measure fsmagic=0xf97cff8c 82 dont_appraise fsmagic=0xf97cff8c 83 # CGROUP_SUPER_MAGIC 84 dont_measure fsmagic=0x27e0eb 85 dont_appraise fsmagic=0x27e0eb 86 # NSFS_MAGIC 87 dont_measure fsmagic=0x6e736673 88 dont_appraise fsmagic=0x6e736673 89 90 measure func=BPRM_CHECK 91 measure func=FILE_MMAP mask=MAY_EXEC 92 measure func=FILE_CHECK mask=MAY_READ uid=0 93 measure func=MODULE_CHECK 94 measure func=FIRMWARE_CHECK 95 appraise fowner=0 96 97 The default policy measures all executables in bprm_check, 98 all files mmapped executable in file_mmap, and all files 99 open for read by root in do_filp_open. The default appraisal 100 policy appraises all files owned by root. 101 102 Examples of LSM specific definitions: 103 104 SELinux:: 105 106 dont_measure obj_type=var_log_t 107 dont_appraise obj_type=var_log_t 108 dont_measure obj_type=auditd_log_t 109 dont_appraise obj_type=auditd_log_t 110 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ 111 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ 112 113 Smack:: 114 115 measure subj_user=_ func=FILE_CHECK mask=MAY_READ 116 117 Example of measure rules using alternate PCRs:: 118 119 measure func=KEXEC_KERNEL_CHECK pcr=4 120 measure func=KEXEC_INITRAMFS_CHECK pcr=5 121 122 Example of appraise rule allowing modsig appended signatures: 123 124 appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig 125 126 Example of measure rule using KEY_CHECK to measure all keys: 127 128 measure func=KEY_CHECK 129 130 Example of measure rule using KEY_CHECK to only measure 131 keys added to .builtin_trusted_keys or .ima keyring: 132 133 measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima 134