1 What: /sys/kernel/security/*/ima/policy
3 Contact: Mimi Zohar <zohar@us.ibm.com>
5 The Trusted Computing Group(TCG) runtime Integrity
6 Measurement Architecture(IMA) maintains a list of hash
7 values of executables and other sensitive system files
8 loaded into the run-time of this system. At runtime,
9 the policy can be constrained based on LSM specific data.
10 Policies are loaded into the securityfs file ima/policy
11 by opening the file, writing the rules one at a time and
12 then closing the file. The new policy takes effect after
13 the file ima/policy is closed.
15 IMA appraisal, if configured, uses these file measurements
16 for local measurement appraisal.
20 rule format: action [condition ...]
22 action: measure | dont_measure | appraise | dont_appraise |
23 audit | hash | dont_hash
24 condition:= base | lsm [option]
25 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
26 [uid=] [euid=] [gid=] [egid=]
28 lsm: [[subj_user=] [subj_role=] [subj_type=]
29 [obj_user=] [obj_role=] [obj_type=]]
30 option: [digest_type=] [template=] [permit_directio]
31 [appraise_type=] [appraise_flag=]
32 [appraise_algos=] [keyrings=]
34 func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
36 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
37 [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
38 [SETXATTR_CHECK][MMAP_CHECK_REQPROT]
39 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
42 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
47 fowner:= decimal value
48 fgroup:= decimal value
51 appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
52 where 'imasig' is the original or the signature
54 where 'modsig' is an appended signature,
55 where 'sigv3' is the signature format v3. (Currently
56 limited to fsverity digest based signatures
57 stored in security.ima xattr. Requires
58 specifying "digest_type=verity" first.)
60 appraise_flag:= [check_blacklist] (deprecated)
61 Setting the check_blacklist flag is no longer necessary.
62 All appraisal functions set it by default.
64 Require fs-verity's file digest instead of the
65 regular IMA file hash.
66 keyrings:= list of keyrings
67 (eg, .builtin_trusted_keys|.ima). Only valid
68 when action is "measure" and func is KEY_CHECK.
69 template:= name of a defined IMA template type
70 (eg, ima-ng). Only valid when action is "measure".
72 label:= [selinux]|[kernel_info]|[data_label]
73 data_label:= a unique string used for grouping and limiting critical data.
74 For example, "selinux" to measure critical data for SELinux.
75 appraise_algos:= comma-separated list of hash algorithms
76 For example, "sha256,sha512" to only accept to appraise
77 files where the security.ima xattr was hashed with one
78 of these two algorithms.
82 dont_measure fsmagic=0x9fa0
83 dont_appraise fsmagic=0x9fa0
85 dont_measure fsmagic=0x62656572
86 dont_appraise fsmagic=0x62656572
88 dont_measure fsmagic=0x64626720
89 dont_appraise fsmagic=0x64626720
91 dont_measure fsmagic=0x01021994
92 dont_appraise fsmagic=0x01021994
94 dont_appraise fsmagic=0x858458f6
96 dont_measure fsmagic=0x1cd1
97 dont_appraise fsmagic=0x1cd1
99 dont_measure fsmagic=0x42494e4d
100 dont_appraise fsmagic=0x42494e4d
102 dont_measure fsmagic=0x73636673
103 dont_appraise fsmagic=0x73636673
105 dont_measure fsmagic=0xf97cff8c
106 dont_appraise fsmagic=0xf97cff8c
108 dont_measure fsmagic=0x27e0eb
109 dont_appraise fsmagic=0x27e0eb
111 dont_measure fsmagic=0x6e736673
112 dont_appraise fsmagic=0x6e736673
114 measure func=BPRM_CHECK
115 measure func=FILE_MMAP mask=MAY_EXEC
116 measure func=FILE_CHECK mask=MAY_READ uid=0
117 measure func=MODULE_CHECK
118 measure func=FIRMWARE_CHECK
121 The default policy measures all executables in bprm_check,
122 all files mmapped executable in file_mmap, and all files
123 open for read by root in do_filp_open. The default appraisal
124 policy appraises all files owned by root.
126 Examples of LSM specific definitions:
130 dont_measure obj_type=var_log_t
131 dont_appraise obj_type=var_log_t
132 dont_measure obj_type=auditd_log_t
133 dont_appraise obj_type=auditd_log_t
134 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
135 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
139 measure subj_user=_ func=FILE_CHECK mask=MAY_READ
141 Example of measure rules using alternate PCRs::
143 measure func=KEXEC_KERNEL_CHECK pcr=4
144 measure func=KEXEC_INITRAMFS_CHECK pcr=5
146 Example of appraise rule allowing modsig appended signatures:
148 appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
150 Example of measure rule using KEY_CHECK to measure all keys:
152 measure func=KEY_CHECK
154 Example of measure rule using KEY_CHECK to only measure
155 keys added to .builtin_trusted_keys or .ima keyring:
157 measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
159 Example of the special SETXATTR_CHECK appraise rule, that
160 restricts the hash algorithms allowed when writing to the
161 security.ima xattr of a file:
163 appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
165 Example of a 'measure' rule requiring fs-verity's digests
166 with indication of type of digest in the measurement list.
168 measure func=FILE_CHECK digest_type=verity \
171 Example of 'measure' and 'appraise' rules requiring fs-verity
172 signatures (format version 3) stored in security.ima xattr.
174 The 'measure' rule specifies the 'ima-sigv3' template option,
175 which includes the indication of type of digest and the file
176 signature in the measurement list.
178 measure func=BPRM_CHECK digest_type=verity \
182 The 'appraise' rule specifies the type and signature format
183 version (sigv3) required.
185 appraise func=BPRM_CHECK digest_type=verity \
188 All of these policy rules could, for example, be constrained
189 either based on a filesystem's UUID (fsuuid) or based on LSM