About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / ABI / testing / ima_policy




Custom Search

Based on kernel version 4.3. Page generated on 2015-11-02 12:43 EST.

1	What:		security/ima/policy
2	Date:		May 2008
3	Contact:	Mimi Zohar <zohar@us.ibm.com>
4	Description:
5			The Trusted Computing Group(TCG) runtime Integrity
6			Measurement Architecture(IMA) maintains a list of hash
7			values of executables and other sensitive system files
8			loaded into the run-time of this system.  At runtime,
9			the policy can be constrained based on LSM specific data.
10			Policies are loaded into the securityfs file ima/policy
11			by opening the file, writing the rules one at a time and
12			then closing the file.  The new policy takes effect after
13			the file ima/policy is closed.
14	
15			IMA appraisal, if configured, uses these file measurements
16			for local measurement appraisal.
17	
18			rule format: action [condition ...]
19	
20			action: measure | dont_measure | appraise | dont_appraise | audit
21			condition:= base | lsm  [option]
22				base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
23					[euid=] [fowner=]]
24				lsm:	[[subj_user=] [subj_role=] [subj_type=]
25					 [obj_user=] [obj_role=] [obj_type=]]
26				option:	[[appraise_type=]] [permit_directio]
27	
28			base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
29					[FIRMWARE_CHECK]
30				mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
31				       [[^]MAY_EXEC]
32				fsmagic:= hex value
33				fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
34				uid:= decimal value
35				euid:= decimal value
36				fowner:=decimal value
37			lsm:  	are LSM specific
38			option:	appraise_type:= [imasig]
39	
40			default policy:
41				# PROC_SUPER_MAGIC
42				dont_measure fsmagic=0x9fa0
43				dont_appraise fsmagic=0x9fa0
44				# SYSFS_MAGIC
45				dont_measure fsmagic=0x62656572
46				dont_appraise fsmagic=0x62656572
47				# DEBUGFS_MAGIC
48				dont_measure fsmagic=0x64626720
49				dont_appraise fsmagic=0x64626720
50				# TMPFS_MAGIC
51				dont_measure fsmagic=0x01021994
52				dont_appraise fsmagic=0x01021994
53				# RAMFS_MAGIC
54				dont_appraise fsmagic=0x858458f6
55				# DEVPTS_SUPER_MAGIC
56				dont_measure fsmagic=0x1cd1
57				dont_appraise fsmagic=0x1cd1
58				# BINFMTFS_MAGIC
59				dont_measure fsmagic=0x42494e4d
60				dont_appraise fsmagic=0x42494e4d
61				# SECURITYFS_MAGIC
62				dont_measure fsmagic=0x73636673
63				dont_appraise fsmagic=0x73636673
64				# SELINUX_MAGIC
65				dont_measure fsmagic=0xf97cff8c
66				dont_appraise fsmagic=0xf97cff8c
67				# CGROUP_SUPER_MAGIC
68				dont_measure fsmagic=0x27e0eb
69				dont_appraise fsmagic=0x27e0eb
70				# NSFS_MAGIC
71				dont_measure fsmagic=0x6e736673
72				dont_appraise fsmagic=0x6e736673
73	
74				measure func=BPRM_CHECK
75				measure func=FILE_MMAP mask=MAY_EXEC
76				measure func=FILE_CHECK mask=MAY_READ uid=0
77				measure func=MODULE_CHECK
78				measure func=FIRMWARE_CHECK
79				appraise fowner=0
80	
81			The default policy measures all executables in bprm_check,
82			all files mmapped executable in file_mmap, and all files
83			open for read by root in do_filp_open.  The default appraisal
84			policy appraises all files owned by root.
85	
86			Examples of LSM specific definitions:
87	
88			SELinux:
89				dont_measure obj_type=var_log_t
90				dont_appraise obj_type=var_log_t
91				dont_measure obj_type=auditd_log_t
92				dont_appraise obj_type=auditd_log_t
93				measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
94				measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
95	
96			Smack:
97				measure subj_user=_ func=FILE_CHECK mask=MAY_READ
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.