About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / ABI / testing / ima_policy




Custom Search

Based on kernel version 4.7.2. Page generated on 2016-08-22 22:39 EST.

1	What:		security/ima/policy
2	Date:		May 2008
3	Contact:	Mimi Zohar <zohar@us.ibm.com>
4	Description:
5			The Trusted Computing Group(TCG) runtime Integrity
6			Measurement Architecture(IMA) maintains a list of hash
7			values of executables and other sensitive system files
8			loaded into the run-time of this system.  At runtime,
9			the policy can be constrained based on LSM specific data.
10			Policies are loaded into the securityfs file ima/policy
11			by opening the file, writing the rules one at a time and
12			then closing the file.  The new policy takes effect after
13			the file ima/policy is closed.
14	
15			IMA appraisal, if configured, uses these file measurements
16			for local measurement appraisal.
17	
18			rule format: action [condition ...]
19	
20			action: measure | dont_measure | appraise | dont_appraise | audit
21			condition:= base | lsm  [option]
22				base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
23					[euid=] [fowner=]]
24				lsm:	[[subj_user=] [subj_role=] [subj_type=]
25					 [obj_user=] [obj_role=] [obj_type=]]
26				option:	[[appraise_type=]] [permit_directio]
27	
28			base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
29					[FIRMWARE_CHECK]
30					[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
31				mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
32				       [[^]MAY_EXEC]
33				fsmagic:= hex value
34				fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
35				uid:= decimal value
36				euid:= decimal value
37				fowner:=decimal value
38			lsm:  	are LSM specific
39			option:	appraise_type:= [imasig]
40	
41			default policy:
42				# PROC_SUPER_MAGIC
43				dont_measure fsmagic=0x9fa0
44				dont_appraise fsmagic=0x9fa0
45				# SYSFS_MAGIC
46				dont_measure fsmagic=0x62656572
47				dont_appraise fsmagic=0x62656572
48				# DEBUGFS_MAGIC
49				dont_measure fsmagic=0x64626720
50				dont_appraise fsmagic=0x64626720
51				# TMPFS_MAGIC
52				dont_measure fsmagic=0x01021994
53				dont_appraise fsmagic=0x01021994
54				# RAMFS_MAGIC
55				dont_appraise fsmagic=0x858458f6
56				# DEVPTS_SUPER_MAGIC
57				dont_measure fsmagic=0x1cd1
58				dont_appraise fsmagic=0x1cd1
59				# BINFMTFS_MAGIC
60				dont_measure fsmagic=0x42494e4d
61				dont_appraise fsmagic=0x42494e4d
62				# SECURITYFS_MAGIC
63				dont_measure fsmagic=0x73636673
64				dont_appraise fsmagic=0x73636673
65				# SELINUX_MAGIC
66				dont_measure fsmagic=0xf97cff8c
67				dont_appraise fsmagic=0xf97cff8c
68				# CGROUP_SUPER_MAGIC
69				dont_measure fsmagic=0x27e0eb
70				dont_appraise fsmagic=0x27e0eb
71				# NSFS_MAGIC
72				dont_measure fsmagic=0x6e736673
73				dont_appraise fsmagic=0x6e736673
74	
75				measure func=BPRM_CHECK
76				measure func=FILE_MMAP mask=MAY_EXEC
77				measure func=FILE_CHECK mask=MAY_READ uid=0
78				measure func=MODULE_CHECK
79				measure func=FIRMWARE_CHECK
80				appraise fowner=0
81	
82			The default policy measures all executables in bprm_check,
83			all files mmapped executable in file_mmap, and all files
84			open for read by root in do_filp_open.  The default appraisal
85			policy appraises all files owned by root.
86	
87			Examples of LSM specific definitions:
88	
89			SELinux:
90				dont_measure obj_type=var_log_t
91				dont_appraise obj_type=var_log_t
92				dont_measure obj_type=auditd_log_t
93				dont_appraise obj_type=auditd_log_t
94				measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
95				measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
96	
97			Smack:
98				measure subj_user=_ func=FILE_CHECK mask=MAY_READ
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.