Documentation / ABI / testing / ima_policy
Custom Search
Based on kernel version 3.3. Page generated on 2012-03-23 21:22 EST.
1 What: security/ima/policy 2 Date: May 2008 3 Contact: Mimi Zohar <zohar@us.ibm.com> 4 Description: 5 The Trusted Computing Group(TCG) runtime Integrity 6 Measurement Architecture(IMA) maintains a list of hash 7 values of executables and other sensitive system files 8 loaded into the run-time of this system. At runtime, 9 the policy can be constrained based on LSM specific data. 10 Policies are loaded into the securityfs file ima/policy 11 by opening the file, writing the rules one at a time and 12 then closing the file. The new policy takes effect after 13 the file ima/policy is closed. 14 15 rule format: action [condition ...] 16 17 action: measure | dont_measure 18 condition:= base | lsm 19 base: [[func=] [mask=] [fsmagic=] [uid=]] 20 lsm: [[subj_user=] [subj_role=] [subj_type=] 21 [obj_user=] [obj_role=] [obj_type=]] 22 23 base: func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK] 24 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] 25 fsmagic:= hex value 26 uid:= decimal value 27 lsm: are LSM specific 28 29 default policy: 30 # PROC_SUPER_MAGIC 31 dont_measure fsmagic=0x9fa0 32 # SYSFS_MAGIC 33 dont_measure fsmagic=0x62656572 34 # DEBUGFS_MAGIC 35 dont_measure fsmagic=0x64626720 36 # TMPFS_MAGIC 37 dont_measure fsmagic=0x01021994 38 # SECURITYFS_MAGIC 39 dont_measure fsmagic=0x73636673 40 41 measure func=BPRM_CHECK 42 measure func=FILE_MMAP mask=MAY_EXEC 43 measure func=FILE_CHECK mask=MAY_READ uid=0 44 45 The default policy measures all executables in bprm_check, 46 all files mmapped executable in file_mmap, and all files 47 open for read by root in do_filp_open. 48 49 Examples of LSM specific definitions: 50 51 SELinux: 52 # SELINUX_MAGIC 53 dont_measure fsmagic=0xF97CFF8C 54 55 dont_measure obj_type=var_log_t 56 dont_measure obj_type=auditd_log_t 57 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ 58 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ 59 60 Smack: 61 measure subj_user=_ func=FILE_CHECK mask=MAY_READ
- [ testing ]
- configfs-spear-pcie-gadget
- debugfs-ec
- debugfs-ideapad
- debugfs-pktcdvd
- evm
- ima_policy
- procfs-diskstats
- pstore
- sysfs-ata
- sysfs-block
- sysfs-block-zram
- sysfs-bus-bcma
- sysfs-bus-css
- sysfs-bus-i2c-devices-fsa9480
- sysfs-bus-i2c-devices-hm6352
- sysfs-bus-media
- sysfs-bus-pci
- sysfs-bus-pci-devices-cciss
- sysfs-bus-pci-drivers-ehci_hcd
- sysfs-bus-rbd
- sysfs-bus-umc
- sysfs-bus-usb
- sysfs-bus-usb-devices-usbsevseg
- sysfs-c2port
- sysfs-class
- sysfs-class-backlight-driver-adp8870
- sysfs-class-bdi
- sysfs-class-devfreq
- sysfs-class-lcd
- sysfs-class-led
- sysfs-class-mtd
- sysfs-class-net-batman-adv
- sysfs-class-net-mesh
- sysfs-class-pktcdvd
- sysfs-class-power
- sysfs-class-regulator
- sysfs-class-rtc-rtc0-device-rtc_calibration
- sysfs-class-scsi_host
- sysfs-class-uwb_rc
- sysfs-class-uwb_rc-wusbhc
- sysfs-dev
- sysfs-devices
- sysfs-devices-memory
- sysfs-devices-mmc
- sysfs-devices-node
- sysfs-devices-platform-_UDC_-gadget
- sysfs-devices-platform-docg3
- sysfs-devices-power
- sysfs-devices-system-cpu
- sysfs-devices-system-ibm-rtl
- sysfs-driver-hid
- sysfs-driver-hid-logitech-lg4ff
- sysfs-driver-hid-multitouch
- sysfs-driver-hid-picolcd
- sysfs-driver-hid-prodikeys
- sysfs-driver-hid-roccat-arvo
- sysfs-driver-hid-roccat-isku
- sysfs-driver-hid-roccat-kone
- sysfs-driver-hid-roccat-koneplus
- sysfs-driver-hid-roccat-kovaplus
- sysfs-driver-hid-roccat-pyra
- sysfs-driver-hid-wiimote
- sysfs-driver-samsung-laptop
- sysfs-driver-wacom
- sysfs-firmware-acpi
- sysfs-firmware-dmi
- sysfs-firmware-gsmi
- sysfs-firmware-log
- sysfs-firmware-memmap
- sysfs-firmware-sfi
- sysfs-firmware-sgi_uv
- sysfs-fs-ext4
- sysfs-gpio
- sysfs-i2c-bmp085
- sysfs-ibft
- sysfs-kernel-fscaps
- sysfs-kernel-mm
- sysfs-kernel-mm-cleancache
- sysfs-kernel-mm-hugepages
- sysfs-kernel-slab
- sysfs-kernel-uids
- sysfs-memory-page-offline
- sysfs-module
- sysfs-ocfs2
- sysfs-platform-asus-laptop
- sysfs-platform-asus-wmi
- sysfs-platform-at91
- sysfs-platform-eeepc-laptop
- sysfs-platform-ideapad-laptop
- sysfs-platform-kim
- sysfs-power
- sysfs-pps
- sysfs-profiling
- sysfs-ptp
- sysfs-tty
- sysfs-wusb_cbaf
Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.