Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 1 | What: security/ima/policy |
| 2 | Date: May 2008 |
| 3 | Contact: Mimi Zohar <zohar@us.ibm.com> |
| 4 | Description: |
| 5 | The Trusted Computing Group(TCG) runtime Integrity |
| 6 | Measurement Architecture(IMA) maintains a list of hash |
| 7 | values of executables and other sensitive system files |
| 8 | loaded into the run-time of this system. At runtime, |
| 9 | the policy can be constrained based on LSM specific data. |
| 10 | Policies are loaded into the securityfs file ima/policy |
| 11 | by opening the file, writing the rules one at a time and |
| 12 | then closing the file. The new policy takes effect after |
| 13 | the file ima/policy is closed. |
| 14 | |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 15 | IMA appraisal, if configured, uses these file measurements |
| 16 | for local measurement appraisal. |
| 17 | |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 18 | rule format: action [condition ...] |
| 19 | |
Peter Moody | e7c568e | 2012-06-14 10:04:36 -0700 | [diff] [blame] | 20 | action: measure | dont_measure | appraise | dont_appraise | audit |
Dmitry Kasatkin | 0e5a247 | 2012-06-08 13:58:49 +0300 | [diff] [blame] | 21 | condition:= base | lsm [option] |
Dmitry Kasatkin | 85865c1 | 2012-09-03 23:23:13 +0300 | [diff] [blame] | 22 | base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] |
Mimi Zohar | 139069e | 2014-11-05 07:48:36 -0500 | [diff] [blame] | 23 | [euid=] [fowner=]] |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 24 | lsm: [[subj_user=] [subj_role=] [subj_type=] |
| 25 | [obj_user=] [obj_role=] [obj_type=]] |
Mimi Zohar | f9b2a73 | 2014-05-12 09:28:11 -0400 | [diff] [blame] | 26 | option: [[appraise_type=]] [permit_directio] |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 27 | |
Mimi Zohar | 16cac49 | 2012-12-13 11:15:04 -0500 | [diff] [blame] | 28 | base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] |
Mimi Zohar | 5a9196d | 2014-07-22 10:39:48 -0400 | [diff] [blame] | 29 | [FIRMWARE_CHECK] |
Mimi Zohar | 4351c294 | 2014-11-05 07:53:55 -0500 | [diff] [blame] | 30 | mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] |
| 31 | [[^]MAY_EXEC] |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 32 | fsmagic:= hex value |
Dmitry Kasatkin | 85865c1 | 2012-09-03 23:23:13 +0300 | [diff] [blame] | 33 | fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 34 | uid:= decimal value |
Mimi Zohar | 139069e | 2014-11-05 07:48:36 -0500 | [diff] [blame] | 35 | euid:= decimal value |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 36 | fowner:=decimal value |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 37 | lsm: are LSM specific |
Dmitry Kasatkin | 0e5a247 | 2012-06-08 13:58:49 +0300 | [diff] [blame] | 38 | option: appraise_type:= [imasig] |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 39 | |
| 40 | default policy: |
| 41 | # PROC_SUPER_MAGIC |
| 42 | dont_measure fsmagic=0x9fa0 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 43 | dont_appraise fsmagic=0x9fa0 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 44 | # SYSFS_MAGIC |
| 45 | dont_measure fsmagic=0x62656572 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 46 | dont_appraise fsmagic=0x62656572 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 47 | # DEBUGFS_MAGIC |
| 48 | dont_measure fsmagic=0x64626720 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 49 | dont_appraise fsmagic=0x64626720 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 50 | # TMPFS_MAGIC |
| 51 | dont_measure fsmagic=0x01021994 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 52 | dont_appraise fsmagic=0x01021994 |
| 53 | # RAMFS_MAGIC |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 54 | dont_appraise fsmagic=0x858458f6 |
Roberto Sassu | 6438de9 | 2015-04-11 17:13:06 +0200 | [diff] [blame] | 55 | # DEVPTS_SUPER_MAGIC |
| 56 | dont_measure fsmagic=0x1cd1 |
| 57 | dont_appraise fsmagic=0x1cd1 |
| 58 | # BINFMTFS_MAGIC |
| 59 | dont_measure fsmagic=0x42494e4d |
| 60 | dont_appraise fsmagic=0x42494e4d |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 61 | # SECURITYFS_MAGIC |
| 62 | dont_measure fsmagic=0x73636673 |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 63 | dont_appraise fsmagic=0x73636673 |
Roberto Sassu | 6438de9 | 2015-04-11 17:13:06 +0200 | [diff] [blame] | 64 | # SELINUX_MAGIC |
| 65 | dont_measure fsmagic=0xf97cff8c |
| 66 | dont_appraise fsmagic=0xf97cff8c |
| 67 | # CGROUP_SUPER_MAGIC |
| 68 | dont_measure fsmagic=0x27e0eb |
| 69 | dont_appraise fsmagic=0x27e0eb |
Mimi Zohar | cd025f7 | 2015-04-21 16:54:24 -0400 | [diff] [blame] | 70 | # NSFS_MAGIC |
| 71 | dont_measure fsmagic=0x6e736673 |
| 72 | dont_appraise fsmagic=0x6e736673 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 73 | |
| 74 | measure func=BPRM_CHECK |
| 75 | measure func=FILE_MMAP mask=MAY_EXEC |
Mimi Zohar | 1e93d00 | 2010-01-26 17:02:41 -0500 | [diff] [blame] | 76 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
Mimi Zohar | 5a9196d | 2014-07-22 10:39:48 -0400 | [diff] [blame] | 77 | measure func=MODULE_CHECK |
| 78 | measure func=FIRMWARE_CHECK |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 79 | appraise fowner=0 |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 80 | |
| 81 | The default policy measures all executables in bprm_check, |
| 82 | all files mmapped executable in file_mmap, and all files |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 83 | open for read by root in do_filp_open. The default appraisal |
| 84 | policy appraises all files owned by root. |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 85 | |
| 86 | Examples of LSM specific definitions: |
| 87 | |
| 88 | SELinux: |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 89 | dont_measure obj_type=var_log_t |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 90 | dont_appraise obj_type=var_log_t |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 91 | dont_measure obj_type=auditd_log_t |
Mimi Zohar | 07f6a79 | 2011-03-09 22:25:48 -0500 | [diff] [blame] | 92 | dont_appraise obj_type=auditd_log_t |
Mimi Zohar | 1e93d00 | 2010-01-26 17:02:41 -0500 | [diff] [blame] | 93 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ |
| 94 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 95 | |
| 96 | Smack: |
Mimi Zohar | 1e93d00 | 2010-01-26 17:02:41 -0500 | [diff] [blame] | 97 | measure subj_user=_ func=FILE_CHECK mask=MAY_READ |