xref: /linux/Documentation/ABI/testing/ima_policy (revision 5ea5880764cbb164afb17a62e76ca75dc371409d) 
1What:		/sys/kernel/security/*/ima/policy
2Date:		May 2008
3Contact:	Mimi Zohar <zohar@us.ibm.com>
4Description:
5		The Trusted Computing Group(TCG) runtime Integrity
6		Measurement Architecture(IMA) maintains a list of hash
7		values of executables and other sensitive system files
8		loaded into the run-time of this system.  At runtime,
9		the policy can be constrained based on LSM specific data.
10		Policies are loaded into the securityfs file ima/policy
11		by opening the file, writing the rules one at a time and
12		then closing the file.  The new policy takes effect after
13		the file ima/policy is closed.
14
15		IMA appraisal, if configured, uses these file measurements
16		for local measurement appraisal.
17
18		::
19
20		  rule format: action [condition ...]
21
22		  action: measure | dont_measure | appraise | dont_appraise |
23			  audit | dont_audit | hash | dont_hash
24		  condition:= base | lsm  [option]
25			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
26				[fs_subtype=]
27				[uid=] [euid=] [gid=] [egid=]
28				[fowner=] [fgroup=]]
29			lsm:	[[subj_user=] [subj_role=] [subj_type=]
30				 [obj_user=] [obj_role=] [obj_type=]]
31			option:	[digest_type=] [template=] [permit_directio]
32				[appraise_type=] [appraise_flag=]
33				[appraise_algos=] [keyrings=]
34		  base:
35			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
36				[FIRMWARE_CHECK]
37				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
38				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
39				[SETXATTR_CHECK][MMAP_CHECK_REQPROT]
40			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
41			       [[^]MAY_EXEC]
42			fsmagic:= hex value
43			fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
44			uid:= decimal value
45			euid:= decimal value
46			gid:= decimal value
47			egid:= decimal value
48			fowner:= decimal value
49			fgroup:= decimal value
50		  lsm:  are LSM specific
51		  option:
52			appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
53			    where 'imasig' is the original or the signature
54				format v2.
55			    where 'modsig' is an appended signature,
56			    where 'sigv3' is the signature format v3.
57
58			appraise_flag:= [check_blacklist] (deprecated)
59			Setting the check_blacklist flag is no longer necessary.
60			All appraisal functions set it by default.
61			digest_type:= verity
62			    Require fs-verity's file digest instead of the
63			    regular IMA file hash.
64			keyrings:= list of keyrings
65			(eg, .builtin_trusted_keys|.ima). Only valid
66			when action is "measure" and func is KEY_CHECK.
67			template:= name of a defined IMA template type
68			(eg, ima-ng). Only valid when action is "measure".
69			pcr:= decimal value
70			label:= [selinux]|[kernel_info]|[data_label]
71			data_label:= a unique string used for grouping and limiting critical data.
72			For example, "selinux" to measure critical data for SELinux.
73			appraise_algos:= comma-separated list of hash algorithms
74			For example, "sha256,sha512" to only accept to appraise
75			files where the security.ima xattr was hashed with one
76			of these two algorithms.
77
78		  default policy:
79			# PROC_SUPER_MAGIC
80			dont_measure fsmagic=0x9fa0
81			dont_appraise fsmagic=0x9fa0
82			# SYSFS_MAGIC
83			dont_measure fsmagic=0x62656572
84			dont_appraise fsmagic=0x62656572
85			# DEBUGFS_MAGIC
86			dont_measure fsmagic=0x64626720
87			dont_appraise fsmagic=0x64626720
88			# TMPFS_MAGIC
89			dont_measure fsmagic=0x01021994
90			dont_appraise fsmagic=0x01021994
91			# RAMFS_MAGIC
92			dont_appraise fsmagic=0x858458f6
93			# DEVPTS_SUPER_MAGIC
94			dont_measure fsmagic=0x1cd1
95			dont_appraise fsmagic=0x1cd1
96			# BINFMTFS_MAGIC
97			dont_measure fsmagic=0x42494e4d
98			dont_appraise fsmagic=0x42494e4d
99			# SECURITYFS_MAGIC
100			dont_measure fsmagic=0x73636673
101			dont_appraise fsmagic=0x73636673
102			# SELINUX_MAGIC
103			dont_measure fsmagic=0xf97cff8c
104			dont_appraise fsmagic=0xf97cff8c
105			# CGROUP_SUPER_MAGIC
106			dont_measure fsmagic=0x27e0eb
107			dont_appraise fsmagic=0x27e0eb
108			# NSFS_MAGIC
109			dont_measure fsmagic=0x6e736673
110			dont_appraise fsmagic=0x6e736673
111
112			measure func=BPRM_CHECK
113			measure func=FILE_MMAP mask=MAY_EXEC
114			measure func=FILE_CHECK mask=MAY_READ uid=0
115			measure func=MODULE_CHECK
116			measure func=FIRMWARE_CHECK
117			appraise fowner=0
118
119		The default policy measures all executables in bprm_check,
120		all files mmapped executable in file_mmap, and all files
121		open for read by root in do_filp_open.  The default appraisal
122		policy appraises all files owned by root.
123
124		Examples of LSM specific definitions:
125
126		SELinux::
127
128			dont_measure obj_type=var_log_t
129			dont_appraise obj_type=var_log_t
130			dont_measure obj_type=auditd_log_t
131			dont_appraise obj_type=auditd_log_t
132			measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
133			measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
134
135		Smack::
136
137			measure subj_user=_ func=FILE_CHECK mask=MAY_READ
138
139		Example of measure rules using alternate PCRs::
140
141			measure func=KEXEC_KERNEL_CHECK pcr=4
142			measure func=KEXEC_INITRAMFS_CHECK pcr=5
143
144		Example of appraise rule allowing modsig appended signatures:
145
146			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
147
148		Example of measure rule using KEY_CHECK to measure all keys:
149
150			measure func=KEY_CHECK
151
152		Example of measure rule using KEY_CHECK to only measure
153		keys added to .builtin_trusted_keys or .ima keyring:
154
155			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
156
157		Example of the special SETXATTR_CHECK appraise rule, that
158		restricts the hash algorithms allowed when writing to the
159		security.ima xattr of a file:
160
161			appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
162
163		Example of a 'measure' rule requiring fs-verity's digests
164		with indication of type of digest in the measurement list.
165
166			measure func=FILE_CHECK digest_type=verity \
167				template=ima-ngv2
168
169		Example of 'measure' and 'appraise' rules requiring fs-verity
170		signatures (format version 3) stored in security.ima xattr.
171
172		The 'measure' rule specifies the 'ima-sigv3' template option,
173		which includes the indication of type of digest and the file
174		signature in the measurement list.
175
176			measure func=BPRM_CHECK digest_type=verity \
177				template=ima-sigv3
178
179
180		The 'appraise' rule specifies the type and signature format
181		version (sigv3) required.
182
183			appraise func=BPRM_CHECK digest_type=verity \
184				appraise_type=sigv3
185
186		Example of a regular IMA file hash 'appraise' rule requiring
187		signature version 3 format stored in security.ima xattr.
188
189			appraise func=BPRM_CHECK appraise_type=sigv3
190
191		All of these policy rules could, for example, be constrained
192		either based on a filesystem's UUID (fsuuid) or based on LSM
193		labels.
194