Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 1 | What: security/ima/policy |
| 2 | Date: May 2008 |
| 3 | Contact: Mimi Zohar <zohar@us.ibm.com> |
| 4 | Description: |
| 5 | The Trusted Computing Group(TCG) runtime Integrity |
| 6 | Measurement Architecture(IMA) maintains a list of hash |
| 7 | values of executables and other sensitive system files |
| 8 | loaded into the run-time of this system. At runtime, |
| 9 | the policy can be constrained based on LSM specific data. |
| 10 | Policies are loaded into the securityfs file ima/policy |
| 11 | by opening the file, writing the rules one at a time and |
| 12 | then closing the file. The new policy takes effect after |
| 13 | the file ima/policy is closed. |
| 14 | |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 15 | IMA appraisal, if configured, uses these file measurements |
| 16 | for local measurement appraisal. |
| 17 | |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 18 | rule format: action [condition ...] |
| 19 | |
Peter Moody | e7c568e | 2012-06-14 10:04:36 -0700 | [diff] [blame] | 20 | action: measure | dont_measure | appraise | dont_appraise | audit |
Dmitry Kasatkin | 0e5a247 | 2012-06-08 13:58:49 +0300 | [diff] [blame] | 21 | condition:= base | lsm [option] |
Dmitry Kasatkin | 85865c1 | 2012-09-03 23:23:13 +0300 | [diff] [blame] | 22 | base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] |
| 23 | [fowner]] |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 24 | lsm: [[subj_user=] [subj_role=] [subj_type=] |
| 25 | [obj_user=] [obj_role=] [obj_type=]] |
Mimi Zohar | f9b2a73 | 2014-05-12 09:28:11 -0400 | [diff] [blame] | 26 | option: [[appraise_type=]] [permit_directio] |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 27 | |
Mimi Zohar | 16cac49 | 2012-12-13 11:15:04 -0500 | [diff] [blame] | 28 | base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] |
Mimi Zohar | 5a9196d | 2014-07-22 10:39:48 -0400 | [diff] [blame] | 29 | [FIRMWARE_CHECK] |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 30 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] |
| 31 | fsmagic:= hex value |
Dmitry Kasatkin | 85865c1 | 2012-09-03 23:23:13 +0300 | [diff] [blame] | 32 | fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 33 | uid:= decimal value |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 34 | fowner:=decimal value |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 35 | lsm: are LSM specific |
Dmitry Kasatkin | 0e5a247 | 2012-06-08 13:58:49 +0300 | [diff] [blame] | 36 | option: appraise_type:= [imasig] |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 37 | |
| 38 | default policy: |
| 39 | # PROC_SUPER_MAGIC |
| 40 | dont_measure fsmagic=0x9fa0 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 41 | dont_appraise fsmagic=0x9fa0 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 42 | # SYSFS_MAGIC |
| 43 | dont_measure fsmagic=0x62656572 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 44 | dont_appraise fsmagic=0x62656572 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 45 | # DEBUGFS_MAGIC |
| 46 | dont_measure fsmagic=0x64626720 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 47 | dont_appraise fsmagic=0x64626720 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 48 | # TMPFS_MAGIC |
| 49 | dont_measure fsmagic=0x01021994 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 50 | dont_appraise fsmagic=0x01021994 |
| 51 | # RAMFS_MAGIC |
| 52 | dont_measure fsmagic=0x858458f6 |
| 53 | dont_appraise fsmagic=0x858458f6 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 54 | # SECURITYFS_MAGIC |
| 55 | dont_measure fsmagic=0x73636673 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 56 | dont_appraise fsmagic=0x73636673 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 57 | |
| 58 | measure func=BPRM_CHECK |
| 59 | measure func=FILE_MMAP mask=MAY_EXEC |
Mimi Zohar | 1e93d00 | 2010-01-26 17:02:41 -0500 | [diff] [blame] | 60 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
Mimi Zohar | 5a9196d | 2014-07-22 10:39:48 -0400 | [diff] [blame] | 61 | measure func=MODULE_CHECK |
| 62 | measure func=FIRMWARE_CHECK |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 63 | appraise fowner=0 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 64 | |
| 65 | The default policy measures all executables in bprm_check, |
| 66 | all files mmapped executable in file_mmap, and all files |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 67 | open for read by root in do_filp_open. The default appraisal |
| 68 | policy appraises all files owned by root. |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 69 | |
| 70 | Examples of LSM specific definitions: |
| 71 | |
| 72 | SELinux: |
| 73 | # SELINUX_MAGIC |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 74 | dont_measure fsmagic=0xf97cff8c |
| 75 | dont_appraise fsmagic=0xf97cff8c |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 76 | |
| 77 | dont_measure obj_type=var_log_t |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 78 | dont_appraise obj_type=var_log_t |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 79 | dont_measure obj_type=auditd_log_t |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 80 | dont_appraise obj_type=auditd_log_t |
Mimi Zohar | 1e93d00 | 2010-01-26 17:02:41 -0500 | [diff] [blame] | 81 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ |
| 82 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 83 | |
| 84 | Smack: |
Mimi Zohar | 1e93d00 | 2010-01-26 17:02:41 -0500 | [diff] [blame] | 85 | measure subj_user=_ func=FILE_CHECK mask=MAY_READ |