diff options
Diffstat (limited to 'Documentation/ABI/testing/ima_policy')
-rw-r--r-- | Documentation/ABI/testing/ima_policy | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 6cd6daefaae..98694661354 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy | |||
@@ -12,11 +12,14 @@ Description: | |||
12 | then closing the file. The new policy takes effect after | 12 | then closing the file. The new policy takes effect after |
13 | the file ima/policy is closed. | 13 | the file ima/policy is closed. |
14 | 14 | ||
15 | IMA appraisal, if configured, uses these file measurements | ||
16 | for local measurement appraisal. | ||
17 | |||
15 | rule format: action [condition ...] | 18 | rule format: action [condition ...] |
16 | 19 | ||
17 | action: measure | dont_measure | 20 | action: measure | dont_measure | appraise | dont_appraise | audit |
18 | condition:= base | lsm | 21 | condition:= base | lsm |
19 | base: [[func=] [mask=] [fsmagic=] [uid=]] | 22 | base: [[func=] [mask=] [fsmagic=] [uid=] [fowner]] |
20 | lsm: [[subj_user=] [subj_role=] [subj_type=] | 23 | lsm: [[subj_user=] [subj_role=] [subj_type=] |
21 | [obj_user=] [obj_role=] [obj_type=]] | 24 | [obj_user=] [obj_role=] [obj_type=]] |
22 | 25 | ||
@@ -24,36 +27,50 @@ Description: | |||
24 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] | 27 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] |
25 | fsmagic:= hex value | 28 | fsmagic:= hex value |
26 | uid:= decimal value | 29 | uid:= decimal value |
30 | fowner:=decimal value | ||
27 | lsm: are LSM specific | 31 | lsm: are LSM specific |
28 | 32 | ||
29 | default policy: | 33 | default policy: |
30 | # PROC_SUPER_MAGIC | 34 | # PROC_SUPER_MAGIC |
31 | dont_measure fsmagic=0x9fa0 | 35 | dont_measure fsmagic=0x9fa0 |
36 | dont_appraise fsmagic=0x9fa0 | ||
32 | # SYSFS_MAGIC | 37 | # SYSFS_MAGIC |
33 | dont_measure fsmagic=0x62656572 | 38 | dont_measure fsmagic=0x62656572 |
39 | dont_appraise fsmagic=0x62656572 | ||
34 | # DEBUGFS_MAGIC | 40 | # DEBUGFS_MAGIC |
35 | dont_measure fsmagic=0x64626720 | 41 | dont_measure fsmagic=0x64626720 |
42 | dont_appraise fsmagic=0x64626720 | ||
36 | # TMPFS_MAGIC | 43 | # TMPFS_MAGIC |
37 | dont_measure fsmagic=0x01021994 | 44 | dont_measure fsmagic=0x01021994 |
45 | dont_appraise fsmagic=0x01021994 | ||
46 | # RAMFS_MAGIC | ||
47 | dont_measure fsmagic=0x858458f6 | ||
48 | dont_appraise fsmagic=0x858458f6 | ||
38 | # SECURITYFS_MAGIC | 49 | # SECURITYFS_MAGIC |
39 | dont_measure fsmagic=0x73636673 | 50 | dont_measure fsmagic=0x73636673 |
51 | dont_appraise fsmagic=0x73636673 | ||
40 | 52 | ||
41 | measure func=BPRM_CHECK | 53 | measure func=BPRM_CHECK |
42 | measure func=FILE_MMAP mask=MAY_EXEC | 54 | measure func=FILE_MMAP mask=MAY_EXEC |
43 | measure func=FILE_CHECK mask=MAY_READ uid=0 | 55 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
56 | appraise fowner=0 | ||
44 | 57 | ||
45 | The default policy measures all executables in bprm_check, | 58 | The default policy measures all executables in bprm_check, |
46 | all files mmapped executable in file_mmap, and all files | 59 | all files mmapped executable in file_mmap, and all files |
47 | open for read by root in do_filp_open. | 60 | open for read by root in do_filp_open. The default appraisal |
61 | policy appraises all files owned by root. | ||
48 | 62 | ||
49 | Examples of LSM specific definitions: | 63 | Examples of LSM specific definitions: |
50 | 64 | ||
51 | SELinux: | 65 | SELinux: |
52 | # SELINUX_MAGIC | 66 | # SELINUX_MAGIC |
53 | dont_measure fsmagic=0xF97CFF8C | 67 | dont_measure fsmagic=0xf97cff8c |
68 | dont_appraise fsmagic=0xf97cff8c | ||
54 | 69 | ||
55 | dont_measure obj_type=var_log_t | 70 | dont_measure obj_type=var_log_t |
71 | dont_appraise obj_type=var_log_t | ||
56 | dont_measure obj_type=auditd_log_t | 72 | dont_measure obj_type=auditd_log_t |
73 | dont_appraise obj_type=auditd_log_t | ||
57 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ | 74 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ |
58 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ | 75 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ |
59 | 76 | ||