About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / ABI / testing / ima_policy




Custom Search

Based on kernel version 3.19. Page generated on 2015-02-13 21:16 EST.

1	What:		security/ima/policy
2	Date:		May 2008
3	Contact:	Mimi Zohar <zohar@us.ibm.com>
4	Description:
5			The Trusted Computing Group(TCG) runtime Integrity
6			Measurement Architecture(IMA) maintains a list of hash
7			values of executables and other sensitive system files
8			loaded into the run-time of this system.  At runtime,
9			the policy can be constrained based on LSM specific data.
10			Policies are loaded into the securityfs file ima/policy
11			by opening the file, writing the rules one at a time and
12			then closing the file.  The new policy takes effect after
13			the file ima/policy is closed.
14	
15			IMA appraisal, if configured, uses these file measurements
16			for local measurement appraisal.
17	
18			rule format: action [condition ...]
19	
20			action: measure | dont_measure | appraise | dont_appraise | audit
21			condition:= base | lsm  [option]
22				base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
23					 [fowner]]
24				lsm:	[[subj_user=] [subj_role=] [subj_type=]
25					 [obj_user=] [obj_role=] [obj_type=]]
26				option:	[[appraise_type=]] [permit_directio]
27	
28			base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
29					[FIRMWARE_CHECK]
30				mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
31				fsmagic:= hex value
32				fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
33				uid:= decimal value
34				fowner:=decimal value
35			lsm:  	are LSM specific
36			option:	appraise_type:= [imasig]
37	
38			default policy:
39				# PROC_SUPER_MAGIC
40				dont_measure fsmagic=0x9fa0
41				dont_appraise fsmagic=0x9fa0
42				# SYSFS_MAGIC
43				dont_measure fsmagic=0x62656572
44				dont_appraise fsmagic=0x62656572
45				# DEBUGFS_MAGIC
46				dont_measure fsmagic=0x64626720
47				dont_appraise fsmagic=0x64626720
48				# TMPFS_MAGIC
49				dont_measure fsmagic=0x01021994
50				dont_appraise fsmagic=0x01021994
51				# RAMFS_MAGIC
52				dont_measure fsmagic=0x858458f6
53				dont_appraise fsmagic=0x858458f6
54				# SECURITYFS_MAGIC
55				dont_measure fsmagic=0x73636673
56				dont_appraise fsmagic=0x73636673
57	
58				measure func=BPRM_CHECK
59				measure func=FILE_MMAP mask=MAY_EXEC
60				measure func=FILE_CHECK mask=MAY_READ uid=0
61				measure func=MODULE_CHECK
62				measure func=FIRMWARE_CHECK
63				appraise fowner=0
64	
65			The default policy measures all executables in bprm_check,
66			all files mmapped executable in file_mmap, and all files
67			open for read by root in do_filp_open.  The default appraisal
68			policy appraises all files owned by root.
69	
70			Examples of LSM specific definitions:
71	
72			SELinux:
73				# SELINUX_MAGIC
74				dont_measure fsmagic=0xf97cff8c
75				dont_appraise fsmagic=0xf97cff8c
76	
77				dont_measure obj_type=var_log_t
78				dont_appraise obj_type=var_log_t
79				dont_measure obj_type=auditd_log_t
80				dont_appraise obj_type=auditd_log_t
81				measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
82				measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
83	
84			Smack:
85				measure subj_user=_ func=FILE_CHECK mask=MAY_READ
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.