1What:		security/ima/policy
2Date:		May 2008
3Contact:	Mimi Zohar <zohar@us.ibm.com>
4Description:
5		The Trusted Computing Group(TCG) runtime Integrity
6		Measurement Architecture(IMA) maintains a list of hash
7		values of executables and other sensitive system files
8		loaded into the run-time of this system.  At runtime,
9		the policy can be constrained based on LSM specific data.
10		Policies are loaded into the securityfs file ima/policy
11		by opening the file, writing the rules one at a time and
12		then closing the file.  The new policy takes effect after
13		the file ima/policy is closed.
14
15		IMA appraisal, if configured, uses these file measurements
16		for local measurement appraisal.
17
18		::
19
20		  rule format: action [condition ...]
21
22		  action: measure | dont_measure | appraise | dont_appraise |
23			  audit | hash | dont_hash
24		  condition:= base | lsm  [option]
25			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
26				[euid=] [fowner=] [fsname=]]
27			lsm:	[[subj_user=] [subj_role=] [subj_type=]
28				 [obj_user=] [obj_role=] [obj_type=]]
29			option:	[[appraise_type=]] [template=] [permit_directio]
30				[appraise_flag=] [appraise_algos=] [keyrings=]
31		  base:
32			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
33				[FIRMWARE_CHECK]
34				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
35				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
36				[SETXATTR_CHECK]
37			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
38			       [[^]MAY_EXEC]
39			fsmagic:= hex value
40			fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
41			uid:= decimal value
42			euid:= decimal value
43			fowner:= decimal value
44		  lsm:  are LSM specific
45		  option:
46			appraise_type:= [imasig] [imasig|modsig]
47			appraise_flag:= [check_blacklist]
48			Currently, blacklist check is only for files signed with appended
49			signature.
50			keyrings:= list of keyrings
51			(eg, .builtin_trusted_keys|.ima). Only valid
52			when action is "measure" and func is KEY_CHECK.
53			template:= name of a defined IMA template type
54			(eg, ima-ng). Only valid when action is "measure".
55			pcr:= decimal value
56			label:= [selinux]|[kernel_info]|[data_label]
57			data_label:= a unique string used for grouping and limiting critical data.
58			For example, "selinux" to measure critical data for SELinux.
59			appraise_algos:= comma-separated list of hash algorithms
60			For example, "sha256,sha512" to only accept to appraise
61			files where the security.ima xattr was hashed with one
62			of these two algorithms.
63
64		  default policy:
65			# PROC_SUPER_MAGIC
66			dont_measure fsmagic=0x9fa0
67			dont_appraise fsmagic=0x9fa0
68			# SYSFS_MAGIC
69			dont_measure fsmagic=0x62656572
70			dont_appraise fsmagic=0x62656572
71			# DEBUGFS_MAGIC
72			dont_measure fsmagic=0x64626720
73			dont_appraise fsmagic=0x64626720
74			# TMPFS_MAGIC
75			dont_measure fsmagic=0x01021994
76			dont_appraise fsmagic=0x01021994
77			# RAMFS_MAGIC
78			dont_appraise fsmagic=0x858458f6
79			# DEVPTS_SUPER_MAGIC
80			dont_measure fsmagic=0x1cd1
81			dont_appraise fsmagic=0x1cd1
82			# BINFMTFS_MAGIC
83			dont_measure fsmagic=0x42494e4d
84			dont_appraise fsmagic=0x42494e4d
85			# SECURITYFS_MAGIC
86			dont_measure fsmagic=0x73636673
87			dont_appraise fsmagic=0x73636673
88			# SELINUX_MAGIC
89			dont_measure fsmagic=0xf97cff8c
90			dont_appraise fsmagic=0xf97cff8c
91			# CGROUP_SUPER_MAGIC
92			dont_measure fsmagic=0x27e0eb
93			dont_appraise fsmagic=0x27e0eb
94			# NSFS_MAGIC
95			dont_measure fsmagic=0x6e736673
96			dont_appraise fsmagic=0x6e736673
97
98			measure func=BPRM_CHECK
99			measure func=FILE_MMAP mask=MAY_EXEC
100			measure func=FILE_CHECK mask=MAY_READ uid=0
101			measure func=MODULE_CHECK
102			measure func=FIRMWARE_CHECK
103			appraise fowner=0
104
105		The default policy measures all executables in bprm_check,
106		all files mmapped executable in file_mmap, and all files
107		open for read by root in do_filp_open.  The default appraisal
108		policy appraises all files owned by root.
109
110		Examples of LSM specific definitions:
111
112		SELinux::
113
114			dont_measure obj_type=var_log_t
115			dont_appraise obj_type=var_log_t
116			dont_measure obj_type=auditd_log_t
117			dont_appraise obj_type=auditd_log_t
118			measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
119			measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
120
121		Smack::
122
123			measure subj_user=_ func=FILE_CHECK mask=MAY_READ
124
125		Example of measure rules using alternate PCRs::
126
127			measure func=KEXEC_KERNEL_CHECK pcr=4
128			measure func=KEXEC_INITRAMFS_CHECK pcr=5
129
130		Example of appraise rule allowing modsig appended signatures:
131
132			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
133
134		Example of measure rule using KEY_CHECK to measure all keys:
135
136			measure func=KEY_CHECK
137
138		Example of measure rule using KEY_CHECK to only measure
139		keys added to .builtin_trusted_keys or .ima keyring:
140
141			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
142
143		Example of the special SETXATTR_CHECK appraise rule, that
144		restricts the hash algorithms allowed when writing to the
145		security.ima xattr of a file:
146
147			appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
148