xref: /linux/Documentation/ABI/testing/ima_policy (revision a619fe35ab41fded440d3762d4fbad84ff86a4d4) 
1What:		/sys/kernel/security/*/ima/policy
2Date:		May 2008
3Contact:	Mimi Zohar <zohar@us.ibm.com>
4Description:
5		The Trusted Computing Group(TCG) runtime Integrity
6		Measurement Architecture(IMA) maintains a list of hash
7		values of executables and other sensitive system files
8		loaded into the run-time of this system.  At runtime,
9		the policy can be constrained based on LSM specific data.
10		Policies are loaded into the securityfs file ima/policy
11		by opening the file, writing the rules one at a time and
12		then closing the file.  The new policy takes effect after
13		the file ima/policy is closed.
14
15		IMA appraisal, if configured, uses these file measurements
16		for local measurement appraisal.
17
18		::
19
20		  rule format: action [condition ...]
21
22		  action: measure | dont_measure | appraise | dont_appraise |
23			  audit | dont_audit | hash | dont_hash
24		  condition:= base | lsm  [option]
25			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
26				[fs_subtype=]
27				[uid=] [euid=] [gid=] [egid=]
28				[fowner=] [fgroup=]]
29			lsm:	[[subj_user=] [subj_role=] [subj_type=]
30				 [obj_user=] [obj_role=] [obj_type=]]
31			option:	[digest_type=] [template=] [permit_directio]
32				[appraise_type=] [appraise_flag=]
33				[appraise_algos=] [keyrings=]
34		  base:
35			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
36				[FIRMWARE_CHECK]
37				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
38				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
39				[SETXATTR_CHECK][MMAP_CHECK_REQPROT]
40			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
41			       [[^]MAY_EXEC]
42			fsmagic:= hex value
43			fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
44			uid:= decimal value
45			euid:= decimal value
46			gid:= decimal value
47			egid:= decimal value
48			fowner:= decimal value
49			fgroup:= decimal value
50		  lsm:  are LSM specific
51		  option:
52			appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
53			    where 'imasig' is the original or the signature
54				format v2.
55			    where 'modsig' is an appended signature,
56			    where 'sigv3' is the signature format v3. (Currently
57				limited to fsverity digest based signatures
58				stored in security.ima xattr. Requires
59				specifying "digest_type=verity" first.)
60
61			appraise_flag:= [check_blacklist] (deprecated)
62			Setting the check_blacklist flag is no longer necessary.
63			All appraisal functions set it by default.
64			digest_type:= verity
65			    Require fs-verity's file digest instead of the
66			    regular IMA file hash.
67			keyrings:= list of keyrings
68			(eg, .builtin_trusted_keys|.ima). Only valid
69			when action is "measure" and func is KEY_CHECK.
70			template:= name of a defined IMA template type
71			(eg, ima-ng). Only valid when action is "measure".
72			pcr:= decimal value
73			label:= [selinux]|[kernel_info]|[data_label]
74			data_label:= a unique string used for grouping and limiting critical data.
75			For example, "selinux" to measure critical data for SELinux.
76			appraise_algos:= comma-separated list of hash algorithms
77			For example, "sha256,sha512" to only accept to appraise
78			files where the security.ima xattr was hashed with one
79			of these two algorithms.
80
81		  default policy:
82			# PROC_SUPER_MAGIC
83			dont_measure fsmagic=0x9fa0
84			dont_appraise fsmagic=0x9fa0
85			# SYSFS_MAGIC
86			dont_measure fsmagic=0x62656572
87			dont_appraise fsmagic=0x62656572
88			# DEBUGFS_MAGIC
89			dont_measure fsmagic=0x64626720
90			dont_appraise fsmagic=0x64626720
91			# TMPFS_MAGIC
92			dont_measure fsmagic=0x01021994
93			dont_appraise fsmagic=0x01021994
94			# RAMFS_MAGIC
95			dont_appraise fsmagic=0x858458f6
96			# DEVPTS_SUPER_MAGIC
97			dont_measure fsmagic=0x1cd1
98			dont_appraise fsmagic=0x1cd1
99			# BINFMTFS_MAGIC
100			dont_measure fsmagic=0x42494e4d
101			dont_appraise fsmagic=0x42494e4d
102			# SECURITYFS_MAGIC
103			dont_measure fsmagic=0x73636673
104			dont_appraise fsmagic=0x73636673
105			# SELINUX_MAGIC
106			dont_measure fsmagic=0xf97cff8c
107			dont_appraise fsmagic=0xf97cff8c
108			# CGROUP_SUPER_MAGIC
109			dont_measure fsmagic=0x27e0eb
110			dont_appraise fsmagic=0x27e0eb
111			# NSFS_MAGIC
112			dont_measure fsmagic=0x6e736673
113			dont_appraise fsmagic=0x6e736673
114
115			measure func=BPRM_CHECK
116			measure func=FILE_MMAP mask=MAY_EXEC
117			measure func=FILE_CHECK mask=MAY_READ uid=0
118			measure func=MODULE_CHECK
119			measure func=FIRMWARE_CHECK
120			appraise fowner=0
121
122		The default policy measures all executables in bprm_check,
123		all files mmapped executable in file_mmap, and all files
124		open for read by root in do_filp_open.  The default appraisal
125		policy appraises all files owned by root.
126
127		Examples of LSM specific definitions:
128
129		SELinux::
130
131			dont_measure obj_type=var_log_t
132			dont_appraise obj_type=var_log_t
133			dont_measure obj_type=auditd_log_t
134			dont_appraise obj_type=auditd_log_t
135			measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
136			measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
137
138		Smack::
139
140			measure subj_user=_ func=FILE_CHECK mask=MAY_READ
141
142		Example of measure rules using alternate PCRs::
143
144			measure func=KEXEC_KERNEL_CHECK pcr=4
145			measure func=KEXEC_INITRAMFS_CHECK pcr=5
146
147		Example of appraise rule allowing modsig appended signatures:
148
149			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
150
151		Example of measure rule using KEY_CHECK to measure all keys:
152
153			measure func=KEY_CHECK
154
155		Example of measure rule using KEY_CHECK to only measure
156		keys added to .builtin_trusted_keys or .ima keyring:
157
158			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
159
160		Example of the special SETXATTR_CHECK appraise rule, that
161		restricts the hash algorithms allowed when writing to the
162		security.ima xattr of a file:
163
164			appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
165
166		Example of a 'measure' rule requiring fs-verity's digests
167		with indication of type of digest in the measurement list.
168
169			measure func=FILE_CHECK digest_type=verity \
170				template=ima-ngv2
171
172		Example of 'measure' and 'appraise' rules requiring fs-verity
173		signatures (format version 3) stored in security.ima xattr.
174
175		The 'measure' rule specifies the 'ima-sigv3' template option,
176		which includes the indication of type of digest and the file
177		signature in the measurement list.
178
179			measure func=BPRM_CHECK digest_type=verity \
180				template=ima-sigv3
181
182
183		The 'appraise' rule specifies the type and signature format
184		version (sigv3) required.
185
186			appraise func=BPRM_CHECK digest_type=verity \
187				appraise_type=sigv3
188
189		All of these policy rules could, for example, be constrained
190		either based on a filesystem's UUID (fsuuid) or based on LSM
191		labels.
192