About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / ABI / testing / ima_policy




Custom Search

Based on kernel version 4.13.3. Page generated on 2017-09-23 13:54 EST.

1	What:		security/ima/policy
2	Date:		May 2008
3	Contact:	Mimi Zohar <zohar@us.ibm.com>
4	Description:
5			The Trusted Computing Group(TCG) runtime Integrity
6			Measurement Architecture(IMA) maintains a list of hash
7			values of executables and other sensitive system files
8			loaded into the run-time of this system.  At runtime,
9			the policy can be constrained based on LSM specific data.
10			Policies are loaded into the securityfs file ima/policy
11			by opening the file, writing the rules one at a time and
12			then closing the file.  The new policy takes effect after
13			the file ima/policy is closed.
14	
15			IMA appraisal, if configured, uses these file measurements
16			for local measurement appraisal.
17	
18			rule format: action [condition ...]
19	
20			action: measure | dont_measure | appraise | dont_appraise | audit
21			condition:= base | lsm  [option]
22				base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
23					[euid=] [fowner=]]
24				lsm:	[[subj_user=] [subj_role=] [subj_type=]
25					 [obj_user=] [obj_role=] [obj_type=]]
26				option:	[[appraise_type=]] [permit_directio]
27	
28			base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
29					[FIRMWARE_CHECK]
30					[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
31				mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
32				       [[^]MAY_EXEC]
33				fsmagic:= hex value
34				fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
35				uid:= decimal value
36				euid:= decimal value
37				fowner:= decimal value
38			lsm:  	are LSM specific
39			option:	appraise_type:= [imasig]
40				pcr:= decimal value
41	
42			default policy:
43				# PROC_SUPER_MAGIC
44				dont_measure fsmagic=0x9fa0
45				dont_appraise fsmagic=0x9fa0
46				# SYSFS_MAGIC
47				dont_measure fsmagic=0x62656572
48				dont_appraise fsmagic=0x62656572
49				# DEBUGFS_MAGIC
50				dont_measure fsmagic=0x64626720
51				dont_appraise fsmagic=0x64626720
52				# TMPFS_MAGIC
53				dont_measure fsmagic=0x01021994
54				dont_appraise fsmagic=0x01021994
55				# RAMFS_MAGIC
56				dont_appraise fsmagic=0x858458f6
57				# DEVPTS_SUPER_MAGIC
58				dont_measure fsmagic=0x1cd1
59				dont_appraise fsmagic=0x1cd1
60				# BINFMTFS_MAGIC
61				dont_measure fsmagic=0x42494e4d
62				dont_appraise fsmagic=0x42494e4d
63				# SECURITYFS_MAGIC
64				dont_measure fsmagic=0x73636673
65				dont_appraise fsmagic=0x73636673
66				# SELINUX_MAGIC
67				dont_measure fsmagic=0xf97cff8c
68				dont_appraise fsmagic=0xf97cff8c
69				# CGROUP_SUPER_MAGIC
70				dont_measure fsmagic=0x27e0eb
71				dont_appraise fsmagic=0x27e0eb
72				# NSFS_MAGIC
73				dont_measure fsmagic=0x6e736673
74				dont_appraise fsmagic=0x6e736673
75	
76				measure func=BPRM_CHECK
77				measure func=FILE_MMAP mask=MAY_EXEC
78				measure func=FILE_CHECK mask=MAY_READ uid=0
79				measure func=MODULE_CHECK
80				measure func=FIRMWARE_CHECK
81				appraise fowner=0
82	
83			The default policy measures all executables in bprm_check,
84			all files mmapped executable in file_mmap, and all files
85			open for read by root in do_filp_open.  The default appraisal
86			policy appraises all files owned by root.
87	
88			Examples of LSM specific definitions:
89	
90			SELinux:
91				dont_measure obj_type=var_log_t
92				dont_appraise obj_type=var_log_t
93				dont_measure obj_type=auditd_log_t
94				dont_appraise obj_type=auditd_log_t
95				measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
96				measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
97	
98			Smack:
99				measure subj_user=_ func=FILE_CHECK mask=MAY_READ
100	
101			Example of measure rules using alternate PCRs:
102	
103				measure func=KEXEC_KERNEL_CHECK pcr=4
104				measure func=KEXEC_INITRAMFS_CHECK pcr=5
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.