~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/ABI/testing/ima_policy

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/ABI/testing/ima_policy (Architecture mips) and /Documentation/ABI/testing/ima_policy (Architecture i386)


  1 What:           /sys/kernel/security/*/ima/pol      1 What:           /sys/kernel/security/*/ima/policy
  2 Date:           May 2008                            2 Date:           May 2008
  3 Contact:        Mimi Zohar <zohar@us.ibm.com>        3 Contact:        Mimi Zohar <zohar@us.ibm.com>
  4 Description:                                        4 Description:
  5                 The Trusted Computing Group(TC      5                 The Trusted Computing Group(TCG) runtime Integrity
  6                 Measurement Architecture(IMA)       6                 Measurement Architecture(IMA) maintains a list of hash
  7                 values of executables and othe      7                 values of executables and other sensitive system files
  8                 loaded into the run-time of th      8                 loaded into the run-time of this system.  At runtime,
  9                 the policy can be constrained       9                 the policy can be constrained based on LSM specific data.
 10                 Policies are loaded into the s     10                 Policies are loaded into the securityfs file ima/policy
 11                 by opening the file, writing t     11                 by opening the file, writing the rules one at a time and
 12                 then closing the file.  The ne     12                 then closing the file.  The new policy takes effect after
 13                 the file ima/policy is closed.     13                 the file ima/policy is closed.
 14                                                    14 
 15                 IMA appraisal, if configured,      15                 IMA appraisal, if configured, uses these file measurements
 16                 for local measurement appraisa     16                 for local measurement appraisal.
 17                                                    17 
 18                 ::                                 18                 ::
 19                                                    19 
 20                   rule format: action [conditi     20                   rule format: action [condition ...]
 21                                                    21 
 22                   action: measure | dont_measu     22                   action: measure | dont_measure | appraise | dont_appraise |
 23                           audit | hash | dont_     23                           audit | hash | dont_hash
 24                   condition:= base | lsm  [opt     24                   condition:= base | lsm  [option]
 25                         base:   [[func=] [mask     25                         base:   [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
 26                                 [uid=] [euid=]     26                                 [uid=] [euid=] [gid=] [egid=]
 27                                 [fowner=] [fgr     27                                 [fowner=] [fgroup=]]
 28                         lsm:    [[subj_user=]      28                         lsm:    [[subj_user=] [subj_role=] [subj_type=]
 29                                  [obj_user=] [     29                                  [obj_user=] [obj_role=] [obj_type=]]
 30                         option: [digest_type=]     30                         option: [digest_type=] [template=] [permit_directio]
 31                                 [appraise_type     31                                 [appraise_type=] [appraise_flag=]
 32                                 [appraise_algo     32                                 [appraise_algos=] [keyrings=]
 33                   base:                            33                   base:
 34                         func:= [BPRM_CHECK][MM     34                         func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
 35                                 [FIRMWARE_CHEC     35                                 [FIRMWARE_CHECK]
 36                                 [KEXEC_KERNEL_     36                                 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
 37                                 [KEXEC_CMDLINE     37                                 [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
 38                                 [SETXATTR_CHEC     38                                 [SETXATTR_CHECK][MMAP_CHECK_REQPROT]
 39                         mask:= [[^]MAY_READ] [     39                         mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
 40                                [[^]MAY_EXEC]       40                                [[^]MAY_EXEC]
 41                         fsmagic:= hex value        41                         fsmagic:= hex value
 42                         fsuuid:= file system U     42                         fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
 43                         uid:= decimal value        43                         uid:= decimal value
 44                         euid:= decimal value       44                         euid:= decimal value
 45                         gid:= decimal value        45                         gid:= decimal value
 46                         egid:= decimal value       46                         egid:= decimal value
 47                         fowner:= decimal value     47                         fowner:= decimal value
 48                         fgroup:= decimal value     48                         fgroup:= decimal value
 49                   lsm:  are LSM specific           49                   lsm:  are LSM specific
 50                   option:                          50                   option:
 51                         appraise_type:= [imasi     51                         appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
 52                             where 'imasig' is      52                             where 'imasig' is the original or the signature
 53                                 format v2.         53                                 format v2.
 54                             where 'modsig' is      54                             where 'modsig' is an appended signature,
 55                             where 'sigv3' is t     55                             where 'sigv3' is the signature format v3. (Currently
 56                                 limited to fsv     56                                 limited to fsverity digest based signatures
 57                                 stored in secu     57                                 stored in security.ima xattr. Requires
 58                                 specifying "di     58                                 specifying "digest_type=verity" first.)
 59                                                    59 
 60                         appraise_flag:= [check     60                         appraise_flag:= [check_blacklist] (deprecated)
 61                         Setting the check_blac     61                         Setting the check_blacklist flag is no longer necessary.
 62                         All appraisal function     62                         All appraisal functions set it by default.
 63                         digest_type:= verity       63                         digest_type:= verity
 64                             Require fs-verity'     64                             Require fs-verity's file digest instead of the
 65                             regular IMA file h     65                             regular IMA file hash.
 66                         keyrings:= list of key     66                         keyrings:= list of keyrings
 67                         (eg, .builtin_trusted_     67                         (eg, .builtin_trusted_keys|.ima). Only valid
 68                         when action is "measur     68                         when action is "measure" and func is KEY_CHECK.
 69                         template:= name of a d     69                         template:= name of a defined IMA template type
 70                         (eg, ima-ng). Only val     70                         (eg, ima-ng). Only valid when action is "measure".
 71                         pcr:= decimal value        71                         pcr:= decimal value
 72                         label:= [selinux]|[ker     72                         label:= [selinux]|[kernel_info]|[data_label]
 73                         data_label:= a unique      73                         data_label:= a unique string used for grouping and limiting critical data.
 74                         For example, "selinux"     74                         For example, "selinux" to measure critical data for SELinux.
 75                         appraise_algos:= comma     75                         appraise_algos:= comma-separated list of hash algorithms
 76                         For example, "sha256,s     76                         For example, "sha256,sha512" to only accept to appraise
 77                         files where the securi     77                         files where the security.ima xattr was hashed with one
 78                         of these two algorithm     78                         of these two algorithms.
 79                                                    79 
 80                   default policy:                  80                   default policy:
 81                         # PROC_SUPER_MAGIC         81                         # PROC_SUPER_MAGIC
 82                         dont_measure fsmagic=0     82                         dont_measure fsmagic=0x9fa0
 83                         dont_appraise fsmagic=     83                         dont_appraise fsmagic=0x9fa0
 84                         # SYSFS_MAGIC              84                         # SYSFS_MAGIC
 85                         dont_measure fsmagic=0     85                         dont_measure fsmagic=0x62656572
 86                         dont_appraise fsmagic=     86                         dont_appraise fsmagic=0x62656572
 87                         # DEBUGFS_MAGIC            87                         # DEBUGFS_MAGIC
 88                         dont_measure fsmagic=0     88                         dont_measure fsmagic=0x64626720
 89                         dont_appraise fsmagic=     89                         dont_appraise fsmagic=0x64626720
 90                         # TMPFS_MAGIC              90                         # TMPFS_MAGIC
 91                         dont_measure fsmagic=0     91                         dont_measure fsmagic=0x01021994
 92                         dont_appraise fsmagic=     92                         dont_appraise fsmagic=0x01021994
 93                         # RAMFS_MAGIC              93                         # RAMFS_MAGIC
 94                         dont_appraise fsmagic=     94                         dont_appraise fsmagic=0x858458f6
 95                         # DEVPTS_SUPER_MAGIC       95                         # DEVPTS_SUPER_MAGIC
 96                         dont_measure fsmagic=0     96                         dont_measure fsmagic=0x1cd1
 97                         dont_appraise fsmagic=     97                         dont_appraise fsmagic=0x1cd1
 98                         # BINFMTFS_MAGIC           98                         # BINFMTFS_MAGIC
 99                         dont_measure fsmagic=0     99                         dont_measure fsmagic=0x42494e4d
100                         dont_appraise fsmagic=    100                         dont_appraise fsmagic=0x42494e4d
101                         # SECURITYFS_MAGIC        101                         # SECURITYFS_MAGIC
102                         dont_measure fsmagic=0    102                         dont_measure fsmagic=0x73636673
103                         dont_appraise fsmagic=    103                         dont_appraise fsmagic=0x73636673
104                         # SELINUX_MAGIC           104                         # SELINUX_MAGIC
105                         dont_measure fsmagic=0    105                         dont_measure fsmagic=0xf97cff8c
106                         dont_appraise fsmagic=    106                         dont_appraise fsmagic=0xf97cff8c
107                         # CGROUP_SUPER_MAGIC      107                         # CGROUP_SUPER_MAGIC
108                         dont_measure fsmagic=0    108                         dont_measure fsmagic=0x27e0eb
109                         dont_appraise fsmagic=    109                         dont_appraise fsmagic=0x27e0eb
110                         # NSFS_MAGIC              110                         # NSFS_MAGIC
111                         dont_measure fsmagic=0    111                         dont_measure fsmagic=0x6e736673
112                         dont_appraise fsmagic=    112                         dont_appraise fsmagic=0x6e736673
113                                                   113 
114                         measure func=BPRM_CHEC    114                         measure func=BPRM_CHECK
115                         measure func=FILE_MMAP    115                         measure func=FILE_MMAP mask=MAY_EXEC
116                         measure func=FILE_CHEC    116                         measure func=FILE_CHECK mask=MAY_READ uid=0
117                         measure func=MODULE_CH    117                         measure func=MODULE_CHECK
118                         measure func=FIRMWARE_    118                         measure func=FIRMWARE_CHECK
119                         appraise fowner=0         119                         appraise fowner=0
120                                                   120 
121                 The default policy measures al    121                 The default policy measures all executables in bprm_check,
122                 all files mmapped executable i    122                 all files mmapped executable in file_mmap, and all files
123                 open for read by root in do_fi    123                 open for read by root in do_filp_open.  The default appraisal
124                 policy appraises all files own    124                 policy appraises all files owned by root.
125                                                   125 
126                 Examples of LSM specific defin    126                 Examples of LSM specific definitions:
127                                                   127 
128                 SELinux::                         128                 SELinux::
129                                                   129 
130                         dont_measure obj_type=    130                         dont_measure obj_type=var_log_t
131                         dont_appraise obj_type    131                         dont_appraise obj_type=var_log_t
132                         dont_measure obj_type=    132                         dont_measure obj_type=auditd_log_t
133                         dont_appraise obj_type    133                         dont_appraise obj_type=auditd_log_t
134                         measure subj_user=syst    134                         measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
135                         measure subj_role=syst    135                         measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
136                                                   136 
137                 Smack::                           137                 Smack::
138                                                   138 
139                         measure subj_user=_ fu    139                         measure subj_user=_ func=FILE_CHECK mask=MAY_READ
140                                                   140 
141                 Example of measure rules using    141                 Example of measure rules using alternate PCRs::
142                                                   142 
143                         measure func=KEXEC_KER    143                         measure func=KEXEC_KERNEL_CHECK pcr=4
144                         measure func=KEXEC_INI    144                         measure func=KEXEC_INITRAMFS_CHECK pcr=5
145                                                   145 
146                 Example of appraise rule allow    146                 Example of appraise rule allowing modsig appended signatures:
147                                                   147 
148                         appraise func=KEXEC_KE    148                         appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
149                                                   149 
150                 Example of measure rule using     150                 Example of measure rule using KEY_CHECK to measure all keys:
151                                                   151 
152                         measure func=KEY_CHECK    152                         measure func=KEY_CHECK
153                                                   153 
154                 Example of measure rule using     154                 Example of measure rule using KEY_CHECK to only measure
155                 keys added to .builtin_trusted    155                 keys added to .builtin_trusted_keys or .ima keyring:
156                                                   156 
157                         measure func=KEY_CHECK    157                         measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
158                                                   158 
159                 Example of the special SETXATT    159                 Example of the special SETXATTR_CHECK appraise rule, that
160                 restricts the hash algorithms     160                 restricts the hash algorithms allowed when writing to the
161                 security.ima xattr of a file:     161                 security.ima xattr of a file:
162                                                   162 
163                         appraise func=SETXATTR    163                         appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
164                                                   164 
165                 Example of a 'measure' rule re    165                 Example of a 'measure' rule requiring fs-verity's digests
166                 with indication of type of dig    166                 with indication of type of digest in the measurement list.
167                                                   167 
168                         measure func=FILE_CHEC    168                         measure func=FILE_CHECK digest_type=verity \
169                                 template=ima-n    169                                 template=ima-ngv2
170                                                   170 
171                 Example of 'measure' and 'appr    171                 Example of 'measure' and 'appraise' rules requiring fs-verity
172                 signatures (format version 3)     172                 signatures (format version 3) stored in security.ima xattr.
173                                                   173 
174                 The 'measure' rule specifies t    174                 The 'measure' rule specifies the 'ima-sigv3' template option,
175                 which includes the indication     175                 which includes the indication of type of digest and the file
176                 signature in the measurement l    176                 signature in the measurement list.
177                                                   177 
178                         measure func=BPRM_CHEC    178                         measure func=BPRM_CHECK digest_type=verity \
179                                 template=ima-s    179                                 template=ima-sigv3
180                                                   180 
181                                                   181 
182                 The 'appraise' rule specifies     182                 The 'appraise' rule specifies the type and signature format
183                 version (sigv3) required.         183                 version (sigv3) required.
184                                                   184 
185                         appraise func=BPRM_CHE    185                         appraise func=BPRM_CHECK digest_type=verity \
186                                 appraise_type=    186                                 appraise_type=sigv3
187                                                   187 
188                 All of these policy rules coul    188                 All of these policy rules could, for example, be constrained
189                 either based on a filesystem's    189                 either based on a filesystem's UUID (fsuuid) or based on LSM
190                 labels.                           190                 labels.
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php