Documentation/ABI/testing/ima_policy at v5.16 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / Documentation / ABI / testing / ima_policy
at v5.16 151 lines 5.1 kB view raw
  1What:		/sys/kernel/security/*/ima/policy
  2Date:		May 2008
  3Contact:	Mimi Zohar <zohar@us.ibm.com>
  4Description:
  5		The Trusted Computing Group(TCG) runtime Integrity
  6		Measurement Architecture(IMA) maintains a list of hash
  7		values of executables and other sensitive system files
  8		loaded into the run-time of this system.  At runtime,
  9		the policy can be constrained based on LSM specific data.
 10		Policies are loaded into the securityfs file ima/policy
 11		by opening the file, writing the rules one at a time and
 12		then closing the file.  The new policy takes effect after
 13		the file ima/policy is closed.
 14
 15		IMA appraisal, if configured, uses these file measurements
 16		for local measurement appraisal.
 17
 18		::
 19
 20		  rule format: action [condition ...]
 21
 22		  action: measure | dont_measure | appraise | dont_appraise |
 23			  audit | hash | dont_hash
 24		  condition:= base | lsm  [option]
 25			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
 26				[uid=] [euid=] [gid=] [egid=]
 27				[fowner=] [fgroup=]]
 28			lsm:	[[subj_user=] [subj_role=] [subj_type=]
 29				 [obj_user=] [obj_role=] [obj_type=]]
 30			option:	[[appraise_type=]] [template=] [permit_directio]
 31				[appraise_flag=] [appraise_algos=] [keyrings=]
 32		  base:
 33			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
 34				[FIRMWARE_CHECK]
 35				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
 36				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
 37				[SETXATTR_CHECK]
 38			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
 39			       [[^]MAY_EXEC]
 40			fsmagic:= hex value
 41			fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
 42			uid:= decimal value
 43			euid:= decimal value
 44			gid:= decimal value
 45			egid:= decimal value
 46			fowner:= decimal value
 47			fgroup:= decimal value
 48		  lsm:  are LSM specific
 49		  option:
 50			appraise_type:= [imasig] [imasig|modsig]
 51			appraise_flag:= [check_blacklist]
 52			Currently, blacklist check is only for files signed with appended
 53			signature.
 54			keyrings:= list of keyrings
 55			(eg, .builtin_trusted_keys|.ima). Only valid
 56			when action is "measure" and func is KEY_CHECK.
 57			template:= name of a defined IMA template type
 58			(eg, ima-ng). Only valid when action is "measure".
 59			pcr:= decimal value
 60			label:= [selinux]|[kernel_info]|[data_label]
 61			data_label:= a unique string used for grouping and limiting critical data.
 62			For example, "selinux" to measure critical data for SELinux.
 63			appraise_algos:= comma-separated list of hash algorithms
 64			For example, "sha256,sha512" to only accept to appraise
 65			files where the security.ima xattr was hashed with one
 66			of these two algorithms.
 67
 68		  default policy:
 69			# PROC_SUPER_MAGIC
 70			dont_measure fsmagic=0x9fa0
 71			dont_appraise fsmagic=0x9fa0
 72			# SYSFS_MAGIC
 73			dont_measure fsmagic=0x62656572
 74			dont_appraise fsmagic=0x62656572
 75			# DEBUGFS_MAGIC
 76			dont_measure fsmagic=0x64626720
 77			dont_appraise fsmagic=0x64626720
 78			# TMPFS_MAGIC
 79			dont_measure fsmagic=0x01021994
 80			dont_appraise fsmagic=0x01021994
 81			# RAMFS_MAGIC
 82			dont_appraise fsmagic=0x858458f6
 83			# DEVPTS_SUPER_MAGIC
 84			dont_measure fsmagic=0x1cd1
 85			dont_appraise fsmagic=0x1cd1
 86			# BINFMTFS_MAGIC
 87			dont_measure fsmagic=0x42494e4d
 88			dont_appraise fsmagic=0x42494e4d
 89			# SECURITYFS_MAGIC
 90			dont_measure fsmagic=0x73636673
 91			dont_appraise fsmagic=0x73636673
 92			# SELINUX_MAGIC
 93			dont_measure fsmagic=0xf97cff8c
 94			dont_appraise fsmagic=0xf97cff8c
 95			# CGROUP_SUPER_MAGIC
 96			dont_measure fsmagic=0x27e0eb
 97			dont_appraise fsmagic=0x27e0eb
 98			# NSFS_MAGIC
 99			dont_measure fsmagic=0x6e736673
100			dont_appraise fsmagic=0x6e736673
101
102			measure func=BPRM_CHECK
103			measure func=FILE_MMAP mask=MAY_EXEC
104			measure func=FILE_CHECK mask=MAY_READ uid=0
105			measure func=MODULE_CHECK
106			measure func=FIRMWARE_CHECK
107			appraise fowner=0
108
109		The default policy measures all executables in bprm_check,
110		all files mmapped executable in file_mmap, and all files
111		open for read by root in do_filp_open.  The default appraisal
112		policy appraises all files owned by root.
113
114		Examples of LSM specific definitions:
115
116		SELinux::
117
118			dont_measure obj_type=var_log_t
119			dont_appraise obj_type=var_log_t
120			dont_measure obj_type=auditd_log_t
121			dont_appraise obj_type=auditd_log_t
122			measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
123			measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
124
125		Smack::
126
127			measure subj_user=_ func=FILE_CHECK mask=MAY_READ
128
129		Example of measure rules using alternate PCRs::
130
131			measure func=KEXEC_KERNEL_CHECK pcr=4
132			measure func=KEXEC_INITRAMFS_CHECK pcr=5
133
134		Example of appraise rule allowing modsig appended signatures:
135
136			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
137
138		Example of measure rule using KEY_CHECK to measure all keys:
139
140			measure func=KEY_CHECK
141
142		Example of measure rule using KEY_CHECK to only measure
143		keys added to .builtin_trusted_keys or .ima keyring:
144
145			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
146
147		Example of the special SETXATTR_CHECK appraise rule, that
148		restricts the hash algorithms allowed when writing to the
149		security.ima xattr of a file:
150
151			appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512