162306a36Sopenharmony_ciWhat: /sys/kernel/security/*/ima/policy 262306a36Sopenharmony_ciDate: May 2008 362306a36Sopenharmony_ciContact: Mimi Zohar <zohar@us.ibm.com> 462306a36Sopenharmony_ciDescription: 562306a36Sopenharmony_ci The Trusted Computing Group(TCG) runtime Integrity 662306a36Sopenharmony_ci Measurement Architecture(IMA) maintains a list of hash 762306a36Sopenharmony_ci values of executables and other sensitive system files 862306a36Sopenharmony_ci loaded into the run-time of this system. At runtime, 962306a36Sopenharmony_ci the policy can be constrained based on LSM specific data. 1062306a36Sopenharmony_ci Policies are loaded into the securityfs file ima/policy 1162306a36Sopenharmony_ci by opening the file, writing the rules one at a time and 1262306a36Sopenharmony_ci then closing the file. The new policy takes effect after 1362306a36Sopenharmony_ci the file ima/policy is closed. 1462306a36Sopenharmony_ci 1562306a36Sopenharmony_ci IMA appraisal, if configured, uses these file measurements 1662306a36Sopenharmony_ci for local measurement appraisal. 1762306a36Sopenharmony_ci 1862306a36Sopenharmony_ci :: 1962306a36Sopenharmony_ci 2062306a36Sopenharmony_ci rule format: action [condition ...] 2162306a36Sopenharmony_ci 2262306a36Sopenharmony_ci action: measure | dont_measure | appraise | dont_appraise | 2362306a36Sopenharmony_ci audit | hash | dont_hash 2462306a36Sopenharmony_ci condition:= base | lsm [option] 2562306a36Sopenharmony_ci base: [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=] 2662306a36Sopenharmony_ci [uid=] [euid=] [gid=] [egid=] 2762306a36Sopenharmony_ci [fowner=] [fgroup=]] 2862306a36Sopenharmony_ci lsm: [[subj_user=] [subj_role=] [subj_type=] 2962306a36Sopenharmony_ci [obj_user=] [obj_role=] [obj_type=]] 3062306a36Sopenharmony_ci option: [digest_type=] [template=] [permit_directio] 3162306a36Sopenharmony_ci [appraise_type=] [appraise_flag=] 3262306a36Sopenharmony_ci [appraise_algos=] [keyrings=] 3362306a36Sopenharmony_ci base: 3462306a36Sopenharmony_ci func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] 3562306a36Sopenharmony_ci [FIRMWARE_CHECK] 3662306a36Sopenharmony_ci [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] 3762306a36Sopenharmony_ci [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA] 3862306a36Sopenharmony_ci [SETXATTR_CHECK][MMAP_CHECK_REQPROT] 3962306a36Sopenharmony_ci mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] 4062306a36Sopenharmony_ci [[^]MAY_EXEC] 4162306a36Sopenharmony_ci fsmagic:= hex value 4262306a36Sopenharmony_ci fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) 4362306a36Sopenharmony_ci uid:= decimal value 4462306a36Sopenharmony_ci euid:= decimal value 4562306a36Sopenharmony_ci gid:= decimal value 4662306a36Sopenharmony_ci egid:= decimal value 4762306a36Sopenharmony_ci fowner:= decimal value 4862306a36Sopenharmony_ci fgroup:= decimal value 4962306a36Sopenharmony_ci lsm: are LSM specific 5062306a36Sopenharmony_ci option: 5162306a36Sopenharmony_ci appraise_type:= [imasig] | [imasig|modsig] | [sigv3] 5262306a36Sopenharmony_ci where 'imasig' is the original or the signature 5362306a36Sopenharmony_ci format v2. 5462306a36Sopenharmony_ci where 'modsig' is an appended signature, 5562306a36Sopenharmony_ci where 'sigv3' is the signature format v3. (Currently 5662306a36Sopenharmony_ci limited to fsverity digest based signatures 5762306a36Sopenharmony_ci stored in security.ima xattr. Requires 5862306a36Sopenharmony_ci specifying "digest_type=verity" first.) 5962306a36Sopenharmony_ci 6062306a36Sopenharmony_ci appraise_flag:= [check_blacklist] (deprecated) 6162306a36Sopenharmony_ci Setting the check_blacklist flag is no longer necessary. 6262306a36Sopenharmony_ci All appraisal functions set it by default. 6362306a36Sopenharmony_ci digest_type:= verity 6462306a36Sopenharmony_ci Require fs-verity's file digest instead of the 6562306a36Sopenharmony_ci regular IMA file hash. 6662306a36Sopenharmony_ci keyrings:= list of keyrings 6762306a36Sopenharmony_ci (eg, .builtin_trusted_keys|.ima). Only valid 6862306a36Sopenharmony_ci when action is "measure" and func is KEY_CHECK. 6962306a36Sopenharmony_ci template:= name of a defined IMA template type 7062306a36Sopenharmony_ci (eg, ima-ng). Only valid when action is "measure". 7162306a36Sopenharmony_ci pcr:= decimal value 7262306a36Sopenharmony_ci label:= [selinux]|[kernel_info]|[data_label] 7362306a36Sopenharmony_ci data_label:= a unique string used for grouping and limiting critical data. 7462306a36Sopenharmony_ci For example, "selinux" to measure critical data for SELinux. 7562306a36Sopenharmony_ci appraise_algos:= comma-separated list of hash algorithms 7662306a36Sopenharmony_ci For example, "sha256,sha512" to only accept to appraise 7762306a36Sopenharmony_ci files where the security.ima xattr was hashed with one 7862306a36Sopenharmony_ci of these two algorithms. 7962306a36Sopenharmony_ci 8062306a36Sopenharmony_ci default policy: 8162306a36Sopenharmony_ci # PROC_SUPER_MAGIC 8262306a36Sopenharmony_ci dont_measure fsmagic=0x9fa0 8362306a36Sopenharmony_ci dont_appraise fsmagic=0x9fa0 8462306a36Sopenharmony_ci # SYSFS_MAGIC 8562306a36Sopenharmony_ci dont_measure fsmagic=0x62656572 8662306a36Sopenharmony_ci dont_appraise fsmagic=0x62656572 8762306a36Sopenharmony_ci # DEBUGFS_MAGIC 8862306a36Sopenharmony_ci dont_measure fsmagic=0x64626720 8962306a36Sopenharmony_ci dont_appraise fsmagic=0x64626720 9062306a36Sopenharmony_ci # TMPFS_MAGIC 9162306a36Sopenharmony_ci dont_measure fsmagic=0x01021994 9262306a36Sopenharmony_ci dont_appraise fsmagic=0x01021994 9362306a36Sopenharmony_ci # RAMFS_MAGIC 9462306a36Sopenharmony_ci dont_appraise fsmagic=0x858458f6 9562306a36Sopenharmony_ci # DEVPTS_SUPER_MAGIC 9662306a36Sopenharmony_ci dont_measure fsmagic=0x1cd1 9762306a36Sopenharmony_ci dont_appraise fsmagic=0x1cd1 9862306a36Sopenharmony_ci # BINFMTFS_MAGIC 9962306a36Sopenharmony_ci dont_measure fsmagic=0x42494e4d 10062306a36Sopenharmony_ci dont_appraise fsmagic=0x42494e4d 10162306a36Sopenharmony_ci # SECURITYFS_MAGIC 10262306a36Sopenharmony_ci dont_measure fsmagic=0x73636673 10362306a36Sopenharmony_ci dont_appraise fsmagic=0x73636673 10462306a36Sopenharmony_ci # SELINUX_MAGIC 10562306a36Sopenharmony_ci dont_measure fsmagic=0xf97cff8c 10662306a36Sopenharmony_ci dont_appraise fsmagic=0xf97cff8c 10762306a36Sopenharmony_ci # CGROUP_SUPER_MAGIC 10862306a36Sopenharmony_ci dont_measure fsmagic=0x27e0eb 10962306a36Sopenharmony_ci dont_appraise fsmagic=0x27e0eb 11062306a36Sopenharmony_ci # NSFS_MAGIC 11162306a36Sopenharmony_ci dont_measure fsmagic=0x6e736673 11262306a36Sopenharmony_ci dont_appraise fsmagic=0x6e736673 11362306a36Sopenharmony_ci 11462306a36Sopenharmony_ci measure func=BPRM_CHECK 11562306a36Sopenharmony_ci measure func=FILE_MMAP mask=MAY_EXEC 11662306a36Sopenharmony_ci measure func=FILE_CHECK mask=MAY_READ uid=0 11762306a36Sopenharmony_ci measure func=MODULE_CHECK 11862306a36Sopenharmony_ci measure func=FIRMWARE_CHECK 11962306a36Sopenharmony_ci appraise fowner=0 12062306a36Sopenharmony_ci 12162306a36Sopenharmony_ci The default policy measures all executables in bprm_check, 12262306a36Sopenharmony_ci all files mmapped executable in file_mmap, and all files 12362306a36Sopenharmony_ci open for read by root in do_filp_open. The default appraisal 12462306a36Sopenharmony_ci policy appraises all files owned by root. 12562306a36Sopenharmony_ci 12662306a36Sopenharmony_ci Examples of LSM specific definitions: 12762306a36Sopenharmony_ci 12862306a36Sopenharmony_ci SELinux:: 12962306a36Sopenharmony_ci 13062306a36Sopenharmony_ci dont_measure obj_type=var_log_t 13162306a36Sopenharmony_ci dont_appraise obj_type=var_log_t 13262306a36Sopenharmony_ci dont_measure obj_type=auditd_log_t 13362306a36Sopenharmony_ci dont_appraise obj_type=auditd_log_t 13462306a36Sopenharmony_ci measure subj_user=system_u func=FILE_CHECK mask=MAY_READ 13562306a36Sopenharmony_ci measure subj_role=system_r func=FILE_CHECK mask=MAY_READ 13662306a36Sopenharmony_ci 13762306a36Sopenharmony_ci Smack:: 13862306a36Sopenharmony_ci 13962306a36Sopenharmony_ci measure subj_user=_ func=FILE_CHECK mask=MAY_READ 14062306a36Sopenharmony_ci 14162306a36Sopenharmony_ci Example of measure rules using alternate PCRs:: 14262306a36Sopenharmony_ci 14362306a36Sopenharmony_ci measure func=KEXEC_KERNEL_CHECK pcr=4 14462306a36Sopenharmony_ci measure func=KEXEC_INITRAMFS_CHECK pcr=5 14562306a36Sopenharmony_ci 14662306a36Sopenharmony_ci Example of appraise rule allowing modsig appended signatures: 14762306a36Sopenharmony_ci 14862306a36Sopenharmony_ci appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig 14962306a36Sopenharmony_ci 15062306a36Sopenharmony_ci Example of measure rule using KEY_CHECK to measure all keys: 15162306a36Sopenharmony_ci 15262306a36Sopenharmony_ci measure func=KEY_CHECK 15362306a36Sopenharmony_ci 15462306a36Sopenharmony_ci Example of measure rule using KEY_CHECK to only measure 15562306a36Sopenharmony_ci keys added to .builtin_trusted_keys or .ima keyring: 15662306a36Sopenharmony_ci 15762306a36Sopenharmony_ci measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ci Example of the special SETXATTR_CHECK appraise rule, that 16062306a36Sopenharmony_ci restricts the hash algorithms allowed when writing to the 16162306a36Sopenharmony_ci security.ima xattr of a file: 16262306a36Sopenharmony_ci 16362306a36Sopenharmony_ci appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512 16462306a36Sopenharmony_ci 16562306a36Sopenharmony_ci Example of a 'measure' rule requiring fs-verity's digests 16662306a36Sopenharmony_ci with indication of type of digest in the measurement list. 16762306a36Sopenharmony_ci 16862306a36Sopenharmony_ci measure func=FILE_CHECK digest_type=verity \ 16962306a36Sopenharmony_ci template=ima-ngv2 17062306a36Sopenharmony_ci 17162306a36Sopenharmony_ci Example of 'measure' and 'appraise' rules requiring fs-verity 17262306a36Sopenharmony_ci signatures (format version 3) stored in security.ima xattr. 17362306a36Sopenharmony_ci 17462306a36Sopenharmony_ci The 'measure' rule specifies the 'ima-sigv3' template option, 17562306a36Sopenharmony_ci which includes the indication of type of digest and the file 17662306a36Sopenharmony_ci signature in the measurement list. 17762306a36Sopenharmony_ci 17862306a36Sopenharmony_ci measure func=BPRM_CHECK digest_type=verity \ 17962306a36Sopenharmony_ci template=ima-sigv3 18062306a36Sopenharmony_ci 18162306a36Sopenharmony_ci 18262306a36Sopenharmony_ci The 'appraise' rule specifies the type and signature format 18362306a36Sopenharmony_ci version (sigv3) required. 18462306a36Sopenharmony_ci 18562306a36Sopenharmony_ci appraise func=BPRM_CHECK digest_type=verity \ 18662306a36Sopenharmony_ci appraise_type=sigv3 18762306a36Sopenharmony_ci 18862306a36Sopenharmony_ci All of these policy rules could, for example, be constrained 18962306a36Sopenharmony_ci either based on a filesystem's UUID (fsuuid) or based on LSM 19062306a36Sopenharmony_ci labels. 191