| ima_policy (5808611cccb28044940d04ebd303dc90f33b77b1) | ima_policy (e9085e0ad38a333012629d815c203155d61ebe7e) |
|---|---|
| 1What: security/ima/policy 2Date: May 2008 3Contact: Mimi Zohar <zohar@us.ibm.com> 4Description: 5 The Trusted Computing Group(TCG) runtime Integrity 6 Measurement Architecture(IMA) maintains a list of hash 7 values of executables and other sensitive system files 8 loaded into the run-time of this system. At runtime, --- 11 unchanged lines hidden (view full) --- 20 action: measure | dont_measure | appraise | dont_appraise | 21 audit | hash | dont_hash 22 condition:= base | lsm [option] 23 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] 24 [euid=] [fowner=] [fsname=]] 25 lsm: [[subj_user=] [subj_role=] [subj_type=] 26 [obj_user=] [obj_role=] [obj_type=]] 27 option: [[appraise_type=]] [template=] [permit_directio] | 1What: security/ima/policy 2Date: May 2008 3Contact: Mimi Zohar <zohar@us.ibm.com> 4Description: 5 The Trusted Computing Group(TCG) runtime Integrity 6 Measurement Architecture(IMA) maintains a list of hash 7 values of executables and other sensitive system files 8 loaded into the run-time of this system. At runtime, --- 11 unchanged lines hidden (view full) --- 20 action: measure | dont_measure | appraise | dont_appraise | 21 audit | hash | dont_hash 22 condition:= base | lsm [option] 23 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] 24 [euid=] [fowner=] [fsname=]] 25 lsm: [[subj_user=] [subj_role=] [subj_type=] 26 [obj_user=] [obj_role=] [obj_type=]] 27 option: [[appraise_type=]] [template=] [permit_directio] |
| 28 [appraise_flag=] | 28 [appraise_flag=] [keyrings=] |
| 29 base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] 30 [FIRMWARE_CHECK] 31 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] 32 [KEXEC_CMDLINE] [KEY_CHECK] 33 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] 34 [[^]MAY_EXEC] 35 fsmagic:= hex value 36 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) 37 uid:= decimal value 38 euid:= decimal value 39 fowner:= decimal value 40 lsm: are LSM specific 41 option: appraise_type:= [imasig] [imasig|modsig] 42 appraise_flag:= [check_blacklist] 43 Currently, blacklist check is only for files signed with appended 44 signature. | 29 base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] 30 [FIRMWARE_CHECK] 31 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] 32 [KEXEC_CMDLINE] [KEY_CHECK] 33 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] 34 [[^]MAY_EXEC] 35 fsmagic:= hex value 36 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) 37 uid:= decimal value 38 euid:= decimal value 39 fowner:= decimal value 40 lsm: are LSM specific 41 option: appraise_type:= [imasig] [imasig|modsig] 42 appraise_flag:= [check_blacklist] 43 Currently, blacklist check is only for files signed with appended 44 signature. |
| 45 keyrings:= list of keyrings 46 (eg, .builtin_trusted_keys|.ima). Only valid 47 when action is "measure" and func is KEY_CHECK. |
|
| 45 template:= name of a defined IMA template type 46 (eg, ima-ng). Only valid when action is "measure". 47 pcr:= decimal value 48 49 default policy: 50 # PROC_SUPER_MAGIC 51 dont_measure fsmagic=0x9fa0 52 dont_appraise fsmagic=0x9fa0 --- 59 unchanged lines hidden (view full) --- 112 113 Example of appraise rule allowing modsig appended signatures: 114 115 appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig 116 117 Example of measure rule using KEY_CHECK to measure all keys: 118 119 measure func=KEY_CHECK | 48 template:= name of a defined IMA template type 49 (eg, ima-ng). Only valid when action is "measure". 50 pcr:= decimal value 51 52 default policy: 53 # PROC_SUPER_MAGIC 54 dont_measure fsmagic=0x9fa0 55 dont_appraise fsmagic=0x9fa0 --- 59 unchanged lines hidden (view full) --- 115 116 Example of appraise rule allowing modsig appended signatures: 117 118 appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig 119 120 Example of measure rule using KEY_CHECK to measure all keys: 121 122 measure func=KEY_CHECK |
| 123 124 Example of measure rule using KEY_CHECK to only measure 125 keys added to .builtin_trusted_keys or .ima keyring: 126 127 measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima |
|