aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/ABI/testing/ima_policy
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/ABI/testing/ima_policy')
-rw-r--r--Documentation/ABI/testing/ima_policy25
1 files changed, 21 insertions, 4 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 6cd6daefaae..98694661354 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -12,11 +12,14 @@ Description:
12 then closing the file. The new policy takes effect after 12 then closing the file. The new policy takes effect after
13 the file ima/policy is closed. 13 the file ima/policy is closed.
14 14
15 IMA appraisal, if configured, uses these file measurements
16 for local measurement appraisal.
17
15 rule format: action [condition ...] 18 rule format: action [condition ...]
16 19
17 action: measure | dont_measure 20 action: measure | dont_measure | appraise | dont_appraise | audit
18 condition:= base | lsm 21 condition:= base | lsm
19 base: [[func=] [mask=] [fsmagic=] [uid=]] 22 base: [[func=] [mask=] [fsmagic=] [uid=] [fowner]]
20 lsm: [[subj_user=] [subj_role=] [subj_type=] 23 lsm: [[subj_user=] [subj_role=] [subj_type=]
21 [obj_user=] [obj_role=] [obj_type=]] 24 [obj_user=] [obj_role=] [obj_type=]]
22 25
@@ -24,36 +27,50 @@ Description:
24 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] 27 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
25 fsmagic:= hex value 28 fsmagic:= hex value
26 uid:= decimal value 29 uid:= decimal value
30 fowner:=decimal value
27 lsm: are LSM specific 31 lsm: are LSM specific
28 32
29 default policy: 33 default policy:
30 # PROC_SUPER_MAGIC 34 # PROC_SUPER_MAGIC
31 dont_measure fsmagic=0x9fa0 35 dont_measure fsmagic=0x9fa0
36 dont_appraise fsmagic=0x9fa0
32 # SYSFS_MAGIC 37 # SYSFS_MAGIC
33 dont_measure fsmagic=0x62656572 38 dont_measure fsmagic=0x62656572
39 dont_appraise fsmagic=0x62656572
34 # DEBUGFS_MAGIC 40 # DEBUGFS_MAGIC
35 dont_measure fsmagic=0x64626720 41 dont_measure fsmagic=0x64626720
42 dont_appraise fsmagic=0x64626720
36 # TMPFS_MAGIC 43 # TMPFS_MAGIC
37 dont_measure fsmagic=0x01021994 44 dont_measure fsmagic=0x01021994
45 dont_appraise fsmagic=0x01021994
46 # RAMFS_MAGIC
47 dont_measure fsmagic=0x858458f6
48 dont_appraise fsmagic=0x858458f6
38 # SECURITYFS_MAGIC 49 # SECURITYFS_MAGIC
39 dont_measure fsmagic=0x73636673 50 dont_measure fsmagic=0x73636673
51 dont_appraise fsmagic=0x73636673
40 52
41 measure func=BPRM_CHECK 53 measure func=BPRM_CHECK
42 measure func=FILE_MMAP mask=MAY_EXEC 54 measure func=FILE_MMAP mask=MAY_EXEC
43 measure func=FILE_CHECK mask=MAY_READ uid=0 55 measure func=FILE_CHECK mask=MAY_READ uid=0
56 appraise fowner=0
44 57
45 The default policy measures all executables in bprm_check, 58 The default policy measures all executables in bprm_check,
46 all files mmapped executable in file_mmap, and all files 59 all files mmapped executable in file_mmap, and all files
47 open for read by root in do_filp_open. 60 open for read by root in do_filp_open. The default appraisal
61 policy appraises all files owned by root.
48 62
49 Examples of LSM specific definitions: 63 Examples of LSM specific definitions:
50 64
51 SELinux: 65 SELinux:
52 # SELINUX_MAGIC 66 # SELINUX_MAGIC
53 dont_measure fsmagic=0xF97CFF8C 67 dont_measure fsmagic=0xf97cff8c
68 dont_appraise fsmagic=0xf97cff8c
54 69
55 dont_measure obj_type=var_log_t 70 dont_measure obj_type=var_log_t
71 dont_appraise obj_type=var_log_t
56 dont_measure obj_type=auditd_log_t 72 dont_measure obj_type=auditd_log_t
73 dont_appraise obj_type=auditd_log_t
57 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ 74 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
58 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ 75 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
59 76
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-18 14:17:01 -0400