Documentation/ABI/testing/ima_policy

   1 What:           security/ima/policy
   2 Date:           May 2008
   3 Contact:        Mimi Zohar <zohar@us.ibm.com>
   4 Description:
   5                 The Trusted Computing Group(TCG) runtime Integrity
   6                 Measurement Architecture(IMA) maintains a list of hash
   7                 values of executables and other sensitive system files
   8                 loaded into the run-time of this system.  At runtime,
   9                 the policy can be constrained based on LSM specific data.
  10                 Policies are loaded into the securityfs file ima/policy
  11                 by opening the file, writing the rules one at a time and
  12                 then closing the file.  The new policy takes effect after
  13                 the file ima/policy is closed.
  14
  15                 IMA appraisal, if configured, uses these file measurements
  16                 for local measurement appraisal.
  17
  18                 ::
  19
  20                   rule format: action [condition ...]
  21
  22                   action: measure | dont_measure | appraise | dont_appraise |
  23                           audit | hash | dont_hash
  24                   condition:= base | lsm  [option]
  25                         base:   [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
  26                                 [euid=] [fowner=] [fsname=]]
  27                         lsm:    [[subj_user=] [subj_role=] [subj_type=]
  28                                  [obj_user=] [obj_role=] [obj_type=]]
  29                         option: [[appraise_type=]] [template=] [permit_directio]
  30                                 [appraise_flag=] [appraise_algos=] [keyrings=]
  31                   base:
  32                         func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
  33                                 [FIRMWARE_CHECK]
  34                                 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
  35                                 [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
  36                                 [SETXATTR_CHECK]
  37                         mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
  38                                [[^]MAY_EXEC]
  39                         fsmagic:= hex value
  40                         fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
  41                         uid:= decimal value
  42                         euid:= decimal value
  43                         fowner:= decimal value
  44                   lsm:  are LSM specific
  45                   option:
  46                         appraise_type:= [imasig] [imasig|modsig]
  47                         appraise_flag:= [check_blacklist]
  48                         Currently, blacklist check is only for files signed with appended
  49                         signature.
  50                         keyrings:= list of keyrings
  51                         (eg, .builtin_trusted_keys|.ima). Only valid
  52                         when action is "measure" and func is KEY_CHECK.
  53                         template:= name of a defined IMA template type
  54                         (eg, ima-ng). Only valid when action is "measure".
  55                         pcr:= decimal value
  56                         label:= [selinux]|[kernel_info]|[data_label]
  57                         data_label:= a unique string used for grouping and limiting critical data.
  58                         For example, "selinux" to measure critical data for SELinux.
  59                         appraise_algos:= comma-separated list of hash algorithms
  60                         For example, "sha256,sha512" to only accept to appraise
  61                         files where the security.ima xattr was hashed with one
  62                         of these two algorithms.
  63
  64                   default policy:
  65                         # PROC_SUPER_MAGIC
  66                         dont_measure fsmagic=0x9fa0
  67                         dont_appraise fsmagic=0x9fa0
  68                         # SYSFS_MAGIC
  69                         dont_measure fsmagic=0x62656572
  70                         dont_appraise fsmagic=0x62656572
  71                         # DEBUGFS_MAGIC
  72                         dont_measure fsmagic=0x64626720
  73                         dont_appraise fsmagic=0x64626720
  74                         # TMPFS_MAGIC
  75                         dont_measure fsmagic=0x01021994
  76                         dont_appraise fsmagic=0x01021994
  77                         # RAMFS_MAGIC
  78                         dont_appraise fsmagic=0x858458f6
  79                         # DEVPTS_SUPER_MAGIC
  80                         dont_measure fsmagic=0x1cd1
  81                         dont_appraise fsmagic=0x1cd1
  82                         # BINFMTFS_MAGIC
  83                         dont_measure fsmagic=0x42494e4d
  84                         dont_appraise fsmagic=0x42494e4d
  85                         # SECURITYFS_MAGIC
  86                         dont_measure fsmagic=0x73636673
  87                         dont_appraise fsmagic=0x73636673
  88                         # SELINUX_MAGIC
  89                         dont_measure fsmagic=0xf97cff8c
  90                         dont_appraise fsmagic=0xf97cff8c
  91                         # CGROUP_SUPER_MAGIC
  92                         dont_measure fsmagic=0x27e0eb
  93                         dont_appraise fsmagic=0x27e0eb
  94                         # NSFS_MAGIC
  95                         dont_measure fsmagic=0x6e736673
  96                         dont_appraise fsmagic=0x6e736673
  97
  98                         measure func=BPRM_CHECK
  99                         measure func=FILE_MMAP mask=MAY_EXEC
 100                         measure func=FILE_CHECK mask=MAY_READ uid=0
 101                         measure func=MODULE_CHECK
 102                         measure func=FIRMWARE_CHECK
 103                         appraise fowner=0
 104
 105                 The default policy measures all executables in bprm_check,
 106                 all files mmapped executable in file_mmap, and all files
 107                 open for read by root in do_filp_open.  The default appraisal
 108                 policy appraises all files owned by root.
 109
 110                 Examples of LSM specific definitions:
 111
 112                 SELinux::
 113
 114                         dont_measure obj_type=var_log_t
 115                         dont_appraise obj_type=var_log_t
 116                         dont_measure obj_type=auditd_log_t
 117                         dont_appraise obj_type=auditd_log_t
 118                         measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
 119                         measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
 120
 121                 Smack::
 122
 123                         measure subj_user=_ func=FILE_CHECK mask=MAY_READ
 124
 125                 Example of measure rules using alternate PCRs::
 126
 127                         measure func=KEXEC_KERNEL_CHECK pcr=4
 128                         measure func=KEXEC_INITRAMFS_CHECK pcr=5
 129
 130                 Example of appraise rule allowing modsig appended signatures:
 131
 132                         appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
 133
 134                 Example of measure rule using KEY_CHECK to measure all keys:
 135
 136                         measure func=KEY_CHECK
 137
 138                 Example of measure rule using KEY_CHECK to only measure
 139                 keys added to .builtin_trusted_keys or .ima keyring:
 140
 141                         measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
 142
 143                 Example of the special SETXATTR_CHECK appraise rule, that
 144                 restricts the hash algorithms allowed when writing to the
 145                 security.ima xattr of a file:
 146
 147                         appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512