1 What: /sys/kernel/security/*/ima/pol 1 What: /sys/kernel/security/*/ima/policy
2 Date: May 2008 2 Date: May 2008
3 Contact: Mimi Zohar <zohar@us.ibm.com> 3 Contact: Mimi Zohar <zohar@us.ibm.com>
4 Description: 4 Description:
5 The Trusted Computing Group(TC 5 The Trusted Computing Group(TCG) runtime Integrity
6 Measurement Architecture(IMA) 6 Measurement Architecture(IMA) maintains a list of hash
7 values of executables and othe 7 values of executables and other sensitive system files
8 loaded into the run-time of th 8 loaded into the run-time of this system. At runtime,
9 the policy can be constrained 9 the policy can be constrained based on LSM specific data.
10 Policies are loaded into the s 10 Policies are loaded into the securityfs file ima/policy
11 by opening the file, writing t 11 by opening the file, writing the rules one at a time and
12 then closing the file. The ne 12 then closing the file. The new policy takes effect after
13 the file ima/policy is closed. 13 the file ima/policy is closed.
14 14
15 IMA appraisal, if configured, 15 IMA appraisal, if configured, uses these file measurements
16 for local measurement appraisa 16 for local measurement appraisal.
17 17
18 :: 18 ::
19 19
20 rule format: action [conditi 20 rule format: action [condition ...]
21 21
22 action: measure | dont_measu 22 action: measure | dont_measure | appraise | dont_appraise |
23 audit | hash | dont_ 23 audit | hash | dont_hash
24 condition:= base | lsm [opt 24 condition:= base | lsm [option]
25 base: [[func=] [mask 25 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
26 [uid=] [euid=] 26 [uid=] [euid=] [gid=] [egid=]
27 [fowner=] [fgr 27 [fowner=] [fgroup=]]
28 lsm: [[subj_user=] 28 lsm: [[subj_user=] [subj_role=] [subj_type=]
29 [obj_user=] [ 29 [obj_user=] [obj_role=] [obj_type=]]
30 option: [digest_type=] 30 option: [digest_type=] [template=] [permit_directio]
31 [appraise_type 31 [appraise_type=] [appraise_flag=]
32 [appraise_algo 32 [appraise_algos=] [keyrings=]
33 base: 33 base:
34 func:= [BPRM_CHECK][MM 34 func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
35 [FIRMWARE_CHEC 35 [FIRMWARE_CHECK]
36 [KEXEC_KERNEL_ 36 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
37 [KEXEC_CMDLINE 37 [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
38 [SETXATTR_CHEC 38 [SETXATTR_CHECK][MMAP_CHECK_REQPROT]
39 mask:= [[^]MAY_READ] [ 39 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
40 [[^]MAY_EXEC] 40 [[^]MAY_EXEC]
41 fsmagic:= hex value 41 fsmagic:= hex value
42 fsuuid:= file system U 42 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
43 uid:= decimal value 43 uid:= decimal value
44 euid:= decimal value 44 euid:= decimal value
45 gid:= decimal value 45 gid:= decimal value
46 egid:= decimal value 46 egid:= decimal value
47 fowner:= decimal value 47 fowner:= decimal value
48 fgroup:= decimal value 48 fgroup:= decimal value
49 lsm: are LSM specific 49 lsm: are LSM specific
50 option: 50 option:
51 appraise_type:= [imasi 51 appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
52 where 'imasig' is 52 where 'imasig' is the original or the signature
53 format v2. 53 format v2.
54 where 'modsig' is 54 where 'modsig' is an appended signature,
55 where 'sigv3' is t 55 where 'sigv3' is the signature format v3. (Currently
56 limited to fsv 56 limited to fsverity digest based signatures
57 stored in secu 57 stored in security.ima xattr. Requires
58 specifying "di 58 specifying "digest_type=verity" first.)
59 59
60 appraise_flag:= [check 60 appraise_flag:= [check_blacklist] (deprecated)
61 Setting the check_blac 61 Setting the check_blacklist flag is no longer necessary.
62 All appraisal function 62 All appraisal functions set it by default.
63 digest_type:= verity 63 digest_type:= verity
64 Require fs-verity' 64 Require fs-verity's file digest instead of the
65 regular IMA file h 65 regular IMA file hash.
66 keyrings:= list of key 66 keyrings:= list of keyrings
67 (eg, .builtin_trusted_ 67 (eg, .builtin_trusted_keys|.ima). Only valid
68 when action is "measur 68 when action is "measure" and func is KEY_CHECK.
69 template:= name of a d 69 template:= name of a defined IMA template type
70 (eg, ima-ng). Only val 70 (eg, ima-ng). Only valid when action is "measure".
71 pcr:= decimal value 71 pcr:= decimal value
72 label:= [selinux]|[ker 72 label:= [selinux]|[kernel_info]|[data_label]
73 data_label:= a unique 73 data_label:= a unique string used for grouping and limiting critical data.
74 For example, "selinux" 74 For example, "selinux" to measure critical data for SELinux.
75 appraise_algos:= comma 75 appraise_algos:= comma-separated list of hash algorithms
76 For example, "sha256,s 76 For example, "sha256,sha512" to only accept to appraise
77 files where the securi 77 files where the security.ima xattr was hashed with one
78 of these two algorithm 78 of these two algorithms.
79 79
80 default policy: 80 default policy:
81 # PROC_SUPER_MAGIC 81 # PROC_SUPER_MAGIC
82 dont_measure fsmagic=0 82 dont_measure fsmagic=0x9fa0
83 dont_appraise fsmagic= 83 dont_appraise fsmagic=0x9fa0
84 # SYSFS_MAGIC 84 # SYSFS_MAGIC
85 dont_measure fsmagic=0 85 dont_measure fsmagic=0x62656572
86 dont_appraise fsmagic= 86 dont_appraise fsmagic=0x62656572
87 # DEBUGFS_MAGIC 87 # DEBUGFS_MAGIC
88 dont_measure fsmagic=0 88 dont_measure fsmagic=0x64626720
89 dont_appraise fsmagic= 89 dont_appraise fsmagic=0x64626720
90 # TMPFS_MAGIC 90 # TMPFS_MAGIC
91 dont_measure fsmagic=0 91 dont_measure fsmagic=0x01021994
92 dont_appraise fsmagic= 92 dont_appraise fsmagic=0x01021994
93 # RAMFS_MAGIC 93 # RAMFS_MAGIC
94 dont_appraise fsmagic= 94 dont_appraise fsmagic=0x858458f6
95 # DEVPTS_SUPER_MAGIC 95 # DEVPTS_SUPER_MAGIC
96 dont_measure fsmagic=0 96 dont_measure fsmagic=0x1cd1
97 dont_appraise fsmagic= 97 dont_appraise fsmagic=0x1cd1
98 # BINFMTFS_MAGIC 98 # BINFMTFS_MAGIC
99 dont_measure fsmagic=0 99 dont_measure fsmagic=0x42494e4d
100 dont_appraise fsmagic= 100 dont_appraise fsmagic=0x42494e4d
101 # SECURITYFS_MAGIC 101 # SECURITYFS_MAGIC
102 dont_measure fsmagic=0 102 dont_measure fsmagic=0x73636673
103 dont_appraise fsmagic= 103 dont_appraise fsmagic=0x73636673
104 # SELINUX_MAGIC 104 # SELINUX_MAGIC
105 dont_measure fsmagic=0 105 dont_measure fsmagic=0xf97cff8c
106 dont_appraise fsmagic= 106 dont_appraise fsmagic=0xf97cff8c
107 # CGROUP_SUPER_MAGIC 107 # CGROUP_SUPER_MAGIC
108 dont_measure fsmagic=0 108 dont_measure fsmagic=0x27e0eb
109 dont_appraise fsmagic= 109 dont_appraise fsmagic=0x27e0eb
110 # NSFS_MAGIC 110 # NSFS_MAGIC
111 dont_measure fsmagic=0 111 dont_measure fsmagic=0x6e736673
112 dont_appraise fsmagic= 112 dont_appraise fsmagic=0x6e736673
113 113
114 measure func=BPRM_CHEC 114 measure func=BPRM_CHECK
115 measure func=FILE_MMAP 115 measure func=FILE_MMAP mask=MAY_EXEC
116 measure func=FILE_CHEC 116 measure func=FILE_CHECK mask=MAY_READ uid=0
117 measure func=MODULE_CH 117 measure func=MODULE_CHECK
118 measure func=FIRMWARE_ 118 measure func=FIRMWARE_CHECK
119 appraise fowner=0 119 appraise fowner=0
120 120
121 The default policy measures al 121 The default policy measures all executables in bprm_check,
122 all files mmapped executable i 122 all files mmapped executable in file_mmap, and all files
123 open for read by root in do_fi 123 open for read by root in do_filp_open. The default appraisal
124 policy appraises all files own 124 policy appraises all files owned by root.
125 125
126 Examples of LSM specific defin 126 Examples of LSM specific definitions:
127 127
128 SELinux:: 128 SELinux::
129 129
130 dont_measure obj_type= 130 dont_measure obj_type=var_log_t
131 dont_appraise obj_type 131 dont_appraise obj_type=var_log_t
132 dont_measure obj_type= 132 dont_measure obj_type=auditd_log_t
133 dont_appraise obj_type 133 dont_appraise obj_type=auditd_log_t
134 measure subj_user=syst 134 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
135 measure subj_role=syst 135 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
136 136
137 Smack:: 137 Smack::
138 138
139 measure subj_user=_ fu 139 measure subj_user=_ func=FILE_CHECK mask=MAY_READ
140 140
141 Example of measure rules using 141 Example of measure rules using alternate PCRs::
142 142
143 measure func=KEXEC_KER 143 measure func=KEXEC_KERNEL_CHECK pcr=4
144 measure func=KEXEC_INI 144 measure func=KEXEC_INITRAMFS_CHECK pcr=5
145 145
146 Example of appraise rule allow 146 Example of appraise rule allowing modsig appended signatures:
147 147
148 appraise func=KEXEC_KE 148 appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
149 149
150 Example of measure rule using 150 Example of measure rule using KEY_CHECK to measure all keys:
151 151
152 measure func=KEY_CHECK 152 measure func=KEY_CHECK
153 153
154 Example of measure rule using 154 Example of measure rule using KEY_CHECK to only measure
155 keys added to .builtin_trusted 155 keys added to .builtin_trusted_keys or .ima keyring:
156 156
157 measure func=KEY_CHECK 157 measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
158 158
159 Example of the special SETXATT 159 Example of the special SETXATTR_CHECK appraise rule, that
160 restricts the hash algorithms 160 restricts the hash algorithms allowed when writing to the
161 security.ima xattr of a file: 161 security.ima xattr of a file:
162 162
163 appraise func=SETXATTR 163 appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
164 164
165 Example of a 'measure' rule re 165 Example of a 'measure' rule requiring fs-verity's digests
166 with indication of type of dig 166 with indication of type of digest in the measurement list.
167 167
168 measure func=FILE_CHEC 168 measure func=FILE_CHECK digest_type=verity \
169 template=ima-n 169 template=ima-ngv2
170 170
171 Example of 'measure' and 'appr 171 Example of 'measure' and 'appraise' rules requiring fs-verity
172 signatures (format version 3) 172 signatures (format version 3) stored in security.ima xattr.
173 173
174 The 'measure' rule specifies t 174 The 'measure' rule specifies the 'ima-sigv3' template option,
175 which includes the indication 175 which includes the indication of type of digest and the file
176 signature in the measurement l 176 signature in the measurement list.
177 177
178 measure func=BPRM_CHEC 178 measure func=BPRM_CHECK digest_type=verity \
179 template=ima-s 179 template=ima-sigv3
180 180
181 181
182 The 'appraise' rule specifies 182 The 'appraise' rule specifies the type and signature format
183 version (sigv3) required. 183 version (sigv3) required.
184 184
185 appraise func=BPRM_CHE 185 appraise func=BPRM_CHECK digest_type=verity \
186 appraise_type= 186 appraise_type=sigv3
187 187
188 All of these policy rules coul 188 All of these policy rules could, for example, be constrained
189 either based on a filesystem's 189 either based on a filesystem's UUID (fsuuid) or based on LSM
190 labels. 190 labels.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.