Documentation/ABI/testing/ima_policy

   1 What:           security/ima/policy
   2 Date:           May 2008
   3 Contact:        Mimi Zohar <zohar@us.ibm.com>
   4 Description:
   5                 The Trusted Computing Group(TCG) runtime Integrity
   6                 Measurement Architecture(IMA) maintains a list of hash
   7                 values of executables and other sensitive system files
   8                 loaded into the run-time of this system.  At runtime,
   9                 the policy can be constrained based on LSM specific data.
  10                 Policies are loaded into the securityfs file ima/policy
  11                 by opening the file, writing the rules one at a time and
  12                 then closing the file.  The new policy takes effect after
  13                 the file ima/policy is closed.
  14
  15                 rule format: action [condition ...]
  16
  17                 action: measure | dont_measure
  18                 condition:= base | lsm
  19                         base:   [[func=] [mask=] [fsmagic=] [uid=]]
  20                         lsm:    [[subj_user=] [subj_role=] [subj_type=]
  21                                  [obj_user=] [obj_role=] [obj_type=]]
  22
  23                 base:   func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION]
  24                         mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
  25                         fsmagic:= hex value
  26                         uid:= decimal value
  27                 lsm:    are LSM specific
  28
  29                 default policy:
  30                         # PROC_SUPER_MAGIC
  31                         dont_measure fsmagic=0x9fa0
  32                         # SYSFS_MAGIC
  33                         dont_measure fsmagic=0x62656572
  34                         # DEBUGFS_MAGIC
  35                         dont_measure fsmagic=0x64626720
  36                         # TMPFS_MAGIC
  37                         dont_measure fsmagic=0x01021994
  38                         # SECURITYFS_MAGIC
  39                         dont_measure fsmagic=0x73636673
  40
  41                         measure func=BPRM_CHECK
  42                         measure func=FILE_MMAP mask=MAY_EXEC
  43                         measure func=INODE_PERM mask=MAY_READ uid=0
  44
  45                 The default policy measures all executables in bprm_check,
  46                 all files mmapped executable in file_mmap, and all files
  47                 open for read by root in inode_permission.
  48
  49                 Examples of LSM specific definitions:
  50
  51                 SELinux:
  52                         # SELINUX_MAGIC
  53                         dont_measure fsmagic=0xF97CFF8C
  54
  55                         dont_measure obj_type=var_log_t
  56                         dont_measure obj_type=auditd_log_t
  57                         measure subj_user=system_u func=INODE_PERM mask=MAY_READ
  58                         measure subj_role=system_r func=INODE_PERM mask=MAY_READ
  59
  60                 Smack:
  61                         measure subj_user=_ func=INODE_PERM mask=MAY_READ