blob: d0d0c578324c7437324d5a23f1536cc1f0f2a08d [file] [log] [blame]
Mimi Zohar4af46622009-02-04 09:07:00 -05001What: security/ima/policy
2Date: May 2008
3Contact: Mimi Zohar <zohar@us.ibm.com>
4Description:
5 The Trusted Computing Group(TCG) runtime Integrity
6 Measurement Architecture(IMA) maintains a list of hash
7 values of executables and other sensitive system files
8 loaded into the run-time of this system. At runtime,
9 the policy can be constrained based on LSM specific data.
10 Policies are loaded into the securityfs file ima/policy
11 by opening the file, writing the rules one at a time and
12 then closing the file. The new policy takes effect after
13 the file ima/policy is closed.
14
Mimi Zohar07f6a792011-03-09 22:25:48 -050015 IMA appraisal, if configured, uses these file measurements
16 for local measurement appraisal.
17
Mimi Zohar4af46622009-02-04 09:07:00 -050018 rule format: action [condition ...]
19
Peter Moodye7c568e2012-06-14 10:04:36 -070020 action: measure | dont_measure | appraise | dont_appraise | audit
Dmitry Kasatkin0e5a2472012-06-08 13:58:49 +030021 condition:= base | lsm [option]
Dmitry Kasatkin85865c12012-09-03 23:23:13 +030022 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
23 [fowner]]
Mimi Zohar4af46622009-02-04 09:07:00 -050024 lsm: [[subj_user=] [subj_role=] [subj_type=]
25 [obj_user=] [obj_role=] [obj_type=]]
Mimi Zoharf9b2a732014-05-12 09:28:11 -040026 option: [[appraise_type=]] [permit_directio]
Mimi Zohar4af46622009-02-04 09:07:00 -050027
Mimi Zohar16cac492012-12-13 11:15:04 -050028 base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
Mimi Zohar5a9196d2014-07-22 10:39:48 -040029 [FIRMWARE_CHECK]
Mimi Zohar4af46622009-02-04 09:07:00 -050030 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
31 fsmagic:= hex value
Dmitry Kasatkin85865c12012-09-03 23:23:13 +030032 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
Mimi Zohar4af46622009-02-04 09:07:00 -050033 uid:= decimal value
Mimi Zohar07f6a792011-03-09 22:25:48 -050034 fowner:=decimal value
Mimi Zohar4af46622009-02-04 09:07:00 -050035 lsm: are LSM specific
Dmitry Kasatkin0e5a2472012-06-08 13:58:49 +030036 option: appraise_type:= [imasig]
Mimi Zohar4af46622009-02-04 09:07:00 -050037
38 default policy:
39 # PROC_SUPER_MAGIC
40 dont_measure fsmagic=0x9fa0
Mimi Zohar07f6a792011-03-09 22:25:48 -050041 dont_appraise fsmagic=0x9fa0
Mimi Zohar4af46622009-02-04 09:07:00 -050042 # SYSFS_MAGIC
43 dont_measure fsmagic=0x62656572
Mimi Zohar07f6a792011-03-09 22:25:48 -050044 dont_appraise fsmagic=0x62656572
Mimi Zohar4af46622009-02-04 09:07:00 -050045 # DEBUGFS_MAGIC
46 dont_measure fsmagic=0x64626720
Mimi Zohar07f6a792011-03-09 22:25:48 -050047 dont_appraise fsmagic=0x64626720
Mimi Zohar4af46622009-02-04 09:07:00 -050048 # TMPFS_MAGIC
49 dont_measure fsmagic=0x01021994
Mimi Zohar07f6a792011-03-09 22:25:48 -050050 dont_appraise fsmagic=0x01021994
51 # RAMFS_MAGIC
52 dont_measure fsmagic=0x858458f6
53 dont_appraise fsmagic=0x858458f6
Mimi Zohar4af46622009-02-04 09:07:00 -050054 # SECURITYFS_MAGIC
55 dont_measure fsmagic=0x73636673
Mimi Zohar07f6a792011-03-09 22:25:48 -050056 dont_appraise fsmagic=0x73636673
Mimi Zohar4af46622009-02-04 09:07:00 -050057
58 measure func=BPRM_CHECK
59 measure func=FILE_MMAP mask=MAY_EXEC
Mimi Zohar1e93d002010-01-26 17:02:41 -050060 measure func=FILE_CHECK mask=MAY_READ uid=0
Mimi Zohar5a9196d2014-07-22 10:39:48 -040061 measure func=MODULE_CHECK
62 measure func=FIRMWARE_CHECK
Mimi Zohar07f6a792011-03-09 22:25:48 -050063 appraise fowner=0
Mimi Zohar4af46622009-02-04 09:07:00 -050064
65 The default policy measures all executables in bprm_check,
66 all files mmapped executable in file_mmap, and all files
Mimi Zohar07f6a792011-03-09 22:25:48 -050067 open for read by root in do_filp_open. The default appraisal
68 policy appraises all files owned by root.
Mimi Zohar4af46622009-02-04 09:07:00 -050069
70 Examples of LSM specific definitions:
71
72 SELinux:
73 # SELINUX_MAGIC
Mimi Zohar07f6a792011-03-09 22:25:48 -050074 dont_measure fsmagic=0xf97cff8c
75 dont_appraise fsmagic=0xf97cff8c
Mimi Zohar4af46622009-02-04 09:07:00 -050076
77 dont_measure obj_type=var_log_t
Mimi Zohar07f6a792011-03-09 22:25:48 -050078 dont_appraise obj_type=var_log_t
Mimi Zohar4af46622009-02-04 09:07:00 -050079 dont_measure obj_type=auditd_log_t
Mimi Zohar07f6a792011-03-09 22:25:48 -050080 dont_appraise obj_type=auditd_log_t
Mimi Zohar1e93d002010-01-26 17:02:41 -050081 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
82 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
Mimi Zohar4af46622009-02-04 09:07:00 -050083
84 Smack:
Mimi Zohar1e93d002010-01-26 17:02:41 -050085 measure subj_user=_ func=FILE_CHECK mask=MAY_READ