Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650_ksu
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 5c86c450e2
Branches Tags
android_kernel_...
/
Documentation
/
ABI
/
testing
/
ima_policy

ima_policy 6.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190 
  1. What:		/sys/kernel/security/*/ima/policy
    2. 

  2. Date:		May 2008
    3. 

  3. Contact:	Mimi Zohar <[email protected]>
    4. 

  4. Description:
    5. 

  5. 		The Trusted Computing Group(TCG) runtime Integrity
    6. 

  6. 		Measurement Architecture(IMA) maintains a list of hash
    7. 

  7. 		values of executables and other sensitive system files
    8. 

  8. 		loaded into the run-time of this system.  At runtime,
    9. 

  9. 		the policy can be constrained based on LSM specific data.
    10. 

  10. 		Policies are loaded into the securityfs file ima/policy
    11. 

  11. 		by opening the file, writing the rules one at a time and
    12. 

  12. 		then closing the file.  The new policy takes effect after
    13. 

  13. 		the file ima/policy is closed.
    14. 

  14. 

  15. 		IMA appraisal, if configured, uses these file measurements
    16. 

  16. 		for local measurement appraisal.
    17. 

  17. 

  18. 		::
    19. 

  19. 

  20. 		  rule format: action [condition ...]
    21. 

  21. 

  22. 		  action: measure | dont_measure | appraise | dont_appraise |
    23. 

  23. 			  audit | hash | dont_hash
    24. 

  24. 		  condition:= base | lsm  [option]
    25. 

  25. 			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
    26. 

  26. 				[uid=] [euid=] [gid=] [egid=]
    27. 

  27. 				[fowner=] [fgroup=]]
    28. 

  28. 			lsm:	[[subj_user=] [subj_role=] [subj_type=]
    29. 

  29. 				 [obj_user=] [obj_role=] [obj_type=]]
    30. 

  30. 			option:	[digest_type=] [template=] [permit_directio]
    31. 

  31. 				[appraise_type=] [appraise_flag=]
    32. 

  32. 				[appraise_algos=] [keyrings=]
    33. 

  33. 		  base:
    34. 

  34. 			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
    35. 

  35. 				[FIRMWARE_CHECK]
    36. 

  36. 				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
    37. 

  37. 				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
    38. 

  38. 				[SETXATTR_CHECK]
    39. 

  39. 			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
    40. 

  40. 			       [[^]MAY_EXEC]
    41. 

  41. 			fsmagic:= hex value
    42. 

  42. 			fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
    43. 

  43. 			uid:= decimal value
    44. 

  44. 			euid:= decimal value
    45. 

  45. 			gid:= decimal value
    46. 

  46. 			egid:= decimal value
    47. 

  47. 			fowner:= decimal value
    48. 

  48. 			fgroup:= decimal value
    49. 

  49. 		  lsm:  are LSM specific
    50. 

  50. 		  option:
    51. 

  51. 			appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
    52. 

  52. 			    where 'imasig' is the original or the signature
    53. 

  53. 				format v2.
    54. 

  54. 			    where 'modsig' is an appended signature,
    55. 

  55. 			    where 'sigv3' is the signature format v3. (Currently
    56. 

  56. 				limited to fsverity digest based signatures
    57. 

  57. 				stored in security.ima xattr. Requires
    58. 

  58. 				specifying "digest_type=verity" first.)
    59. 

  59. 

  60. 			appraise_flag:= [check_blacklist]
    61. 

  61. 			Currently, blacklist check is only for files signed with appended
    62. 

  62. 			signature.
    63. 

  63. 			digest_type:= verity
    64. 

  64. 			    Require fs-verity's file digest instead of the
    65. 

  65. 			    regular IMA file hash.
    66. 

  66. 			keyrings:= list of keyrings
    67. 

  67. 			(eg, .builtin_trusted_keys|.ima). Only valid
    68. 

  68. 			when action is "measure" and func is KEY_CHECK.
    69. 

  69. 			template:= name of a defined IMA template type
    70. 

  70. 			(eg, ima-ng). Only valid when action is "measure".
    71. 

  71. 			pcr:= decimal value
    72. 

  72. 			label:= [selinux]|[kernel_info]|[data_label]
    73. 

  73. 			data_label:= a unique string used for grouping and limiting critical data.
    74. 

  74. 			For example, "selinux" to measure critical data for SELinux.
    75. 

  75. 			appraise_algos:= comma-separated list of hash algorithms
    76. 

  76. 			For example, "sha256,sha512" to only accept to appraise
    77. 

  77. 			files where the security.ima xattr was hashed with one
    78. 

  78. 			of these two algorithms.
    79. 

  79. 

  80. 		  default policy:
    81. 

  81. 			# PROC_SUPER_MAGIC
    82. 

  82. 			dont_measure fsmagic=0x9fa0
    83. 

  83. 			dont_appraise fsmagic=0x9fa0
    84. 

  84. 			# SYSFS_MAGIC
    85. 

  85. 			dont_measure fsmagic=0x62656572
    86. 

  86. 			dont_appraise fsmagic=0x62656572
    87. 

  87. 			# DEBUGFS_MAGIC
    88. 

  88. 			dont_measure fsmagic=0x64626720
    89. 

  89. 			dont_appraise fsmagic=0x64626720
    90. 

  90. 			# TMPFS_MAGIC
    91. 

  91. 			dont_measure fsmagic=0x01021994
    92. 

  92. 			dont_appraise fsmagic=0x01021994
    93. 

  93. 			# RAMFS_MAGIC
    94. 

  94. 			dont_appraise fsmagic=0x858458f6
    95. 

  95. 			# DEVPTS_SUPER_MAGIC
    96. 

  96. 			dont_measure fsmagic=0x1cd1
    97. 

  97. 			dont_appraise fsmagic=0x1cd1
    98. 

  98. 			# BINFMTFS_MAGIC
    99. 

  99. 			dont_measure fsmagic=0x42494e4d
    100. 

  100. 			dont_appraise fsmagic=0x42494e4d
    101. 

  101. 			# SECURITYFS_MAGIC
    102. 

  102. 			dont_measure fsmagic=0x73636673
    103. 

  103. 			dont_appraise fsmagic=0x73636673
    104. 

  104. 			# SELINUX_MAGIC
    105. 

  105. 			dont_measure fsmagic=0xf97cff8c
    106. 

  106. 			dont_appraise fsmagic=0xf97cff8c
    107. 

  107. 			# CGROUP_SUPER_MAGIC
    108. 

  108. 			dont_measure fsmagic=0x27e0eb
    109. 

  109. 			dont_appraise fsmagic=0x27e0eb
    110. 

  110. 			# NSFS_MAGIC
    111. 

  111. 			dont_measure fsmagic=0x6e736673
    112. 

  112. 			dont_appraise fsmagic=0x6e736673
    113. 

  113. 

  114. 			measure func=BPRM_CHECK
    115. 

  115. 			measure func=FILE_MMAP mask=MAY_EXEC
    116. 

  116. 			measure func=FILE_CHECK mask=MAY_READ uid=0
    117. 

  117. 			measure func=MODULE_CHECK
    118. 

  118. 			measure func=FIRMWARE_CHECK
    119. 

  119. 			appraise fowner=0
    120. 

  120. 

  121. 		The default policy measures all executables in bprm_check,
    122. 

  122. 		all files mmapped executable in file_mmap, and all files
    123. 

  123. 		open for read by root in do_filp_open.  The default appraisal
    124. 

  124. 		policy appraises all files owned by root.
    125. 

  125. 

  126. 		Examples of LSM specific definitions:
    127. 

  127. 

  128. 		SELinux::
    129. 

  129. 

  130. 			dont_measure obj_type=var_log_t
    131. 

  131. 			dont_appraise obj_type=var_log_t
    132. 

  132. 			dont_measure obj_type=auditd_log_t
    133. 

  133. 			dont_appraise obj_type=auditd_log_t
    134. 

  134. 			measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
    135. 

  135. 			measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
    136. 

  136. 

  137. 		Smack::
    138. 

  138. 

  139. 			measure subj_user=_ func=FILE_CHECK mask=MAY_READ
    140. 

  140. 

  141. 		Example of measure rules using alternate PCRs::
    142. 

  142. 

  143. 			measure func=KEXEC_KERNEL_CHECK pcr=4
    144. 

  144. 			measure func=KEXEC_INITRAMFS_CHECK pcr=5
    145. 

  145. 

  146. 		Example of appraise rule allowing modsig appended signatures:
    147. 

  147. 

  148. 			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
    149. 

  149. 

  150. 		Example of measure rule using KEY_CHECK to measure all keys:
    151. 

  151. 

  152. 			measure func=KEY_CHECK
    153. 

  153. 

  154. 		Example of measure rule using KEY_CHECK to only measure
    155. 

  155. 		keys added to .builtin_trusted_keys or .ima keyring:
    156. 

  156. 

  157. 			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
    158. 

  158. 

  159. 		Example of the special SETXATTR_CHECK appraise rule, that
    160. 

  160. 		restricts the hash algorithms allowed when writing to the
    161. 

  161. 		security.ima xattr of a file:
    162. 

  162. 

  163. 			appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
    164. 

  164. 

  165. 		Example of a 'measure' rule requiring fs-verity's digests
    166. 

  166. 		with indication of type of digest in the measurement list.
    167. 

  167. 

  168. 			measure func=FILE_CHECK digest_type=verity \
    169. 

  169. 				template=ima-ngv2
    170. 

  170. 

  171. 		Example of 'measure' and 'appraise' rules requiring fs-verity
    172. 

  172. 		signatures (format version 3) stored in security.ima xattr.
    173. 

  173. 

  174. 		The 'measure' rule specifies the 'ima-sigv3' template option,
    175. 

  175. 		which includes the indication of type of digest and the file
    176. 

  176. 		signature in the measurement list.
    177. 

  177. 

  178. 			measure func=BPRM_CHECK digest_type=verity \
    179. 

  179. 				template=ima-sigv3
    180. 

  180. 

  181. 

  182. 		The 'appraise' rule specifies the type and signature format
    183. 

  183. 		version (sigv3) required.
    184. 

  184. 

  185. 			appraise func=BPRM_CHECK digest_type=verity \
    186. 

  186. 				appraise_type=sigv3
    187. 

  187. 

  188. 		All of these policy rules could, for example, be constrained
    189. 

  189. 		either based on a filesystem's UUID (fsuuid) or based on LSM
    190. 

  190. 		labels.
    191.