0001 What: /sys/kernel/security/*/ima/policy
0002 Date: May 2008
0003 Contact: Mimi Zohar <zohar@us.ibm.com>
0004 Description:
0005 The Trusted Computing Group(TCG) runtime Integrity
0006 Measurement Architecture(IMA) maintains a list of hash
0007 values of executables and other sensitive system files
0008 loaded into the run-time of this system. At runtime,
0009 the policy can be constrained based on LSM specific data.
0010 Policies are loaded into the securityfs file ima/policy
0011 by opening the file, writing the rules one at a time and
0012 then closing the file. The new policy takes effect after
0013 the file ima/policy is closed.
0014
0015 IMA appraisal, if configured, uses these file measurements
0016 for local measurement appraisal.
0017
0018 ::
0019
0020 rule format: action [condition ...]
0021
0022 action: measure | dont_measure | appraise | dont_appraise |
0023 audit | hash | dont_hash
0024 condition:= base | lsm [option]
0025 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
0026 [uid=] [euid=] [gid=] [egid=]
0027 [fowner=] [fgroup=]]
0028 lsm: [[subj_user=] [subj_role=] [subj_type=]
0029 [obj_user=] [obj_role=] [obj_type=]]
0030 option: [digest_type=] [template=] [permit_directio]
0031 [appraise_type=] [appraise_flag=]
0032 [appraise_algos=] [keyrings=]
0033 base:
0034 func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
0035 [FIRMWARE_CHECK]
0036 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
0037 [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
0038 [SETXATTR_CHECK]
0039 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
0040 [[^]MAY_EXEC]
0041 fsmagic:= hex value
0042 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
0043 uid:= decimal value
0044 euid:= decimal value
0045 gid:= decimal value
0046 egid:= decimal value
0047 fowner:= decimal value
0048 fgroup:= decimal value
0049 lsm: are LSM specific
0050 option:
0051 appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
0052 where 'imasig' is the original or the signature
0053 format v2.
0054 where 'modsig' is an appended signature,
0055 where 'sigv3' is the signature format v3. (Currently
0056 limited to fsverity digest based signatures
0057 stored in security.ima xattr. Requires
0058 specifying "digest_type=verity" first.)
0059
0060 appraise_flag:= [check_blacklist]
0061 Currently, blacklist check is only for files signed with appended
0062 signature.
0063 digest_type:= verity
0064 Require fs-verity's file digest instead of the
0065 regular IMA file hash.
0066 keyrings:= list of keyrings
0067 (eg, .builtin_trusted_keys|.ima). Only valid
0068 when action is "measure" and func is KEY_CHECK.
0069 template:= name of a defined IMA template type
0070 (eg, ima-ng). Only valid when action is "measure".
0071 pcr:= decimal value
0072 label:= [selinux]|[kernel_info]|[data_label]
0073 data_label:= a unique string used for grouping and limiting critical data.
0074 For example, "selinux" to measure critical data for SELinux.
0075 appraise_algos:= comma-separated list of hash algorithms
0076 For example, "sha256,sha512" to only accept to appraise
0077 files where the security.ima xattr was hashed with one
0078 of these two algorithms.
0079
0080 default policy:
0081 # PROC_SUPER_MAGIC
0082 dont_measure fsmagic=0x9fa0
0083 dont_appraise fsmagic=0x9fa0
0084 # SYSFS_MAGIC
0085 dont_measure fsmagic=0x62656572
0086 dont_appraise fsmagic=0x62656572
0087 # DEBUGFS_MAGIC
0088 dont_measure fsmagic=0x64626720
0089 dont_appraise fsmagic=0x64626720
0090 # TMPFS_MAGIC
0091 dont_measure fsmagic=0x01021994
0092 dont_appraise fsmagic=0x01021994
0093 # RAMFS_MAGIC
0094 dont_appraise fsmagic=0x858458f6
0095 # DEVPTS_SUPER_MAGIC
0096 dont_measure fsmagic=0x1cd1
0097 dont_appraise fsmagic=0x1cd1
0098 # BINFMTFS_MAGIC
0099 dont_measure fsmagic=0x42494e4d
0100 dont_appraise fsmagic=0x42494e4d
0101 # SECURITYFS_MAGIC
0102 dont_measure fsmagic=0x73636673
0103 dont_appraise fsmagic=0x73636673
0104 # SELINUX_MAGIC
0105 dont_measure fsmagic=0xf97cff8c
0106 dont_appraise fsmagic=0xf97cff8c
0107 # CGROUP_SUPER_MAGIC
0108 dont_measure fsmagic=0x27e0eb
0109 dont_appraise fsmagic=0x27e0eb
0110 # NSFS_MAGIC
0111 dont_measure fsmagic=0x6e736673
0112 dont_appraise fsmagic=0x6e736673
0113
0114 measure func=BPRM_CHECK
0115 measure func=FILE_MMAP mask=MAY_EXEC
0116 measure func=FILE_CHECK mask=MAY_READ uid=0
0117 measure func=MODULE_CHECK
0118 measure func=FIRMWARE_CHECK
0119 appraise fowner=0
0120
0121 The default policy measures all executables in bprm_check,
0122 all files mmapped executable in file_mmap, and all files
0123 open for read by root in do_filp_open. The default appraisal
0124 policy appraises all files owned by root.
0125
0126 Examples of LSM specific definitions:
0127
0128 SELinux::
0129
0130 dont_measure obj_type=var_log_t
0131 dont_appraise obj_type=var_log_t
0132 dont_measure obj_type=auditd_log_t
0133 dont_appraise obj_type=auditd_log_t
0134 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
0135 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
0136
0137 Smack::
0138
0139 measure subj_user=_ func=FILE_CHECK mask=MAY_READ
0140
0141 Example of measure rules using alternate PCRs::
0142
0143 measure func=KEXEC_KERNEL_CHECK pcr=4
0144 measure func=KEXEC_INITRAMFS_CHECK pcr=5
0145
0146 Example of appraise rule allowing modsig appended signatures:
0147
0148 appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
0149
0150 Example of measure rule using KEY_CHECK to measure all keys:
0151
0152 measure func=KEY_CHECK
0153
0154 Example of measure rule using KEY_CHECK to only measure
0155 keys added to .builtin_trusted_keys or .ima keyring:
0156
0157 measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
0158
0159 Example of the special SETXATTR_CHECK appraise rule, that
0160 restricts the hash algorithms allowed when writing to the
0161 security.ima xattr of a file:
0162
0163 appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
0164
0165 Example of a 'measure' rule requiring fs-verity's digests
0166 with indication of type of digest in the measurement list.
0167
0168 measure func=FILE_CHECK digest_type=verity \
0169 template=ima-ngv2
0170
0171 Example of 'measure' and 'appraise' rules requiring fs-verity
0172 signatures (format version 3) stored in security.ima xattr.
0173
0174 The 'measure' rule specifies the 'ima-sigv3' template option,
0175 which includes the indication of type of digest and the file
0176 signature in the measurement list.
0177
0178 measure func=BPRM_CHECK digest_type=verity \
0179 template=ima-sigv3
0180
0181
0182 The 'appraise' rule specifies the type and signature format
0183 version (sigv3) required.
0184
0185 appraise func=BPRM_CHECK digest_type=verity \
0186 appraise_type=sigv3
0187
0188 All of these policy rules could, for example, be constrained
0189 either based on a filesystem's UUID (fsuuid) or based on LSM
0190 labels.
