1 What: security/ima/policy
3 Contact: Mimi Zohar <zohar@us.ibm.com>
5 The Trusted Computing Group(TCG) runtime Integrity
6 Measurement Architecture(IMA) maintains a list of hash
7 values of executables and other sensitive system files
8 loaded into the run-time of this system. At runtime,
9 the policy can be constrained based on LSM specific data.
10 Policies are loaded into the securityfs file ima/policy
11 by opening the file, writing the rules one at a time and
12 then closing the file. The new policy takes effect after
13 the file ima/policy is closed.
15 IMA appraisal, if configured, uses these file measurements
16 for local measurement appraisal.
20 rule format: action [condition ...]
22 action: measure | dont_measure | appraise | dont_appraise |
23 audit | hash | dont_hash
24 condition:= base | lsm [option]
25 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
26 [euid=] [fowner=] [fsname=]]
27 lsm: [[subj_user=] [subj_role=] [subj_type=]
28 [obj_user=] [obj_role=] [obj_type=]]
29 option: [[appraise_type=]] [template=] [permit_directio]
30 [appraise_flag=] [appraise_algos=] [keyrings=]
32 func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
34 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
35 [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
37 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
40 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
43 fowner:= decimal value
46 appraise_type:= [imasig] [imasig|modsig]
47 appraise_flag:= [check_blacklist]
48 Currently, blacklist check is only for files signed with appended
50 keyrings:= list of keyrings
51 (eg, .builtin_trusted_keys|.ima). Only valid
52 when action is "measure" and func is KEY_CHECK.
53 template:= name of a defined IMA template type
54 (eg, ima-ng). Only valid when action is "measure".
56 label:= [selinux]|[kernel_info]|[data_label]
57 data_label:= a unique string used for grouping and limiting critical data.
58 For example, "selinux" to measure critical data for SELinux.
59 appraise_algos:= comma-separated list of hash algorithms
60 For example, "sha256,sha512" to only accept to appraise
61 files where the security.ima xattr was hashed with one
62 of these two algorithms.
66 dont_measure fsmagic=0x9fa0
67 dont_appraise fsmagic=0x9fa0
69 dont_measure fsmagic=0x62656572
70 dont_appraise fsmagic=0x62656572
72 dont_measure fsmagic=0x64626720
73 dont_appraise fsmagic=0x64626720
75 dont_measure fsmagic=0x01021994
76 dont_appraise fsmagic=0x01021994
78 dont_appraise fsmagic=0x858458f6
80 dont_measure fsmagic=0x1cd1
81 dont_appraise fsmagic=0x1cd1
83 dont_measure fsmagic=0x42494e4d
84 dont_appraise fsmagic=0x42494e4d
86 dont_measure fsmagic=0x73636673
87 dont_appraise fsmagic=0x73636673
89 dont_measure fsmagic=0xf97cff8c
90 dont_appraise fsmagic=0xf97cff8c
92 dont_measure fsmagic=0x27e0eb
93 dont_appraise fsmagic=0x27e0eb
95 dont_measure fsmagic=0x6e736673
96 dont_appraise fsmagic=0x6e736673
98 measure func=BPRM_CHECK
99 measure func=FILE_MMAP mask=MAY_EXEC
100 measure func=FILE_CHECK mask=MAY_READ uid=0
101 measure func=MODULE_CHECK
102 measure func=FIRMWARE_CHECK
105 The default policy measures all executables in bprm_check,
106 all files mmapped executable in file_mmap, and all files
107 open for read by root in do_filp_open. The default appraisal
108 policy appraises all files owned by root.
110 Examples of LSM specific definitions:
114 dont_measure obj_type=var_log_t
115 dont_appraise obj_type=var_log_t
116 dont_measure obj_type=auditd_log_t
117 dont_appraise obj_type=auditd_log_t
118 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
119 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
123 measure subj_user=_ func=FILE_CHECK mask=MAY_READ
125 Example of measure rules using alternate PCRs::
127 measure func=KEXEC_KERNEL_CHECK pcr=4
128 measure func=KEXEC_INITRAMFS_CHECK pcr=5
130 Example of appraise rule allowing modsig appended signatures:
132 appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
134 Example of measure rule using KEY_CHECK to measure all keys:
136 measure func=KEY_CHECK
138 Example of measure rule using KEY_CHECK to only measure
139 keys added to .builtin_trusted_keys or .ima keyring:
141 measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
143 Example of the special SETXATTR_CHECK appraise rule, that
144 restricts the hash algorithms allowed when writing to the
145 security.ima xattr of a file:
147 appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512