Commit | Line | Data |
---|---|---|
4af4662f MZ |
1 | What: security/ima/policy |
2 | Date: May 2008 | |
3 | Contact: Mimi Zohar <zohar@us.ibm.com> | |
4 | Description: | |
5 | The Trusted Computing Group(TCG) runtime Integrity | |
6 | Measurement Architecture(IMA) maintains a list of hash | |
7 | values of executables and other sensitive system files | |
8 | loaded into the run-time of this system. At runtime, | |
9 | the policy can be constrained based on LSM specific data. | |
10 | Policies are loaded into the securityfs file ima/policy | |
11 | by opening the file, writing the rules one at a time and | |
12 | then closing the file. The new policy takes effect after | |
13 | the file ima/policy is closed. | |
14 | ||
15 | rule format: action [condition ...] | |
16 | ||
17 | action: measure | dont_measure | |
18 | condition:= base | lsm | |
19 | base: [[func=] [mask=] [fsmagic=] [uid=]] | |
20 | lsm: [[subj_user=] [subj_role=] [subj_type=] | |
21 | [obj_user=] [obj_role=] [obj_type=]] | |
22 | ||
1e93d005 | 23 | base: func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK] |
4af4662f MZ |
24 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] |
25 | fsmagic:= hex value | |
26 | uid:= decimal value | |
27 | lsm: are LSM specific | |
28 | ||
29 | default policy: | |
30 | # PROC_SUPER_MAGIC | |
31 | dont_measure fsmagic=0x9fa0 | |
32 | # SYSFS_MAGIC | |
33 | dont_measure fsmagic=0x62656572 | |
34 | # DEBUGFS_MAGIC | |
35 | dont_measure fsmagic=0x64626720 | |
36 | # TMPFS_MAGIC | |
37 | dont_measure fsmagic=0x01021994 | |
38 | # SECURITYFS_MAGIC | |
39 | dont_measure fsmagic=0x73636673 | |
40 | ||
41 | measure func=BPRM_CHECK | |
42 | measure func=FILE_MMAP mask=MAY_EXEC | |
1e93d005 | 43 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
4af4662f MZ |
44 | |
45 | The default policy measures all executables in bprm_check, | |
46 | all files mmapped executable in file_mmap, and all files | |
1e93d005 | 47 | open for read by root in do_filp_open. |
4af4662f MZ |
48 | |
49 | Examples of LSM specific definitions: | |
50 | ||
51 | SELinux: | |
52 | # SELINUX_MAGIC | |
53 | dont_measure fsmagic=0xF97CFF8C | |
54 | ||
55 | dont_measure obj_type=var_log_t | |
56 | dont_measure obj_type=auditd_log_t | |
1e93d005 MZ |
57 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ |
58 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ | |
4af4662f MZ |
59 | |
60 | Smack: | |
1e93d005 | 61 | measure subj_user=_ func=FILE_CHECK mask=MAY_READ |