aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/ABI
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2011-03-09 22:25:48 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2012-09-07 14:57:45 -0400
commit07f6a79415d7d502ee0c7d02ace6594a7be7429a (patch)
treeaf2a9b3bb84ab621cbf11ab609dd8cc3566f2b12 /Documentation/ABI
parent2fe5d6def1672ae6635dd71867bf36dcfaa7434b (diff)
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent on runtime process information, such as the task uid, as the 'security.ima' xattr is written on file close and must be updated each time the file changes, regardless of the current task uid. This patch extends the policy language with 'fowner', defines an appraise policy, which appraises all files owned by root, and defines 'ima_appraise_tcb', a new boot command line option, to enable the appraise policy. Changelog v3: - separate the measure from the appraise rules in order to support measuring without appraising and appraising without measuring. - change appraisal default for filesystems without xattr support to fail - update default appraise policy for cgroups Changelog v1: - don't appraise RAMFS (Dmitry Kasatkin) - merged rest of "ima: ima_must_appraise_or_measure API change" commit (Dmtiry Kasatkin) ima_must_appraise_or_measure() called ima_match_policy twice, which searched the policy for a matching rule. Once for a matching measurement rule and subsequently for an appraisal rule. Searching the policy twice is unnecessary overhead, which could be noticeable with a large policy. The new version of ima_must_appraise_or_measure() does everything in a single iteration using a new version of ima_match_policy(). It returns IMA_MEASURE, IMA_APPRAISE mask. With the use of action mask only one efficient matching function is enough. Removed other specific versions of matching functions. Changelog: - change 'owner' to 'fowner' to conform to the new LSM conditions posted by Roberto Sassu. - fix calls to ima_log_string() Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Diffstat (limited to 'Documentation/ABI')
-rw-r--r--Documentation/ABI/testing/ima_policy25
1 files changed, 21 insertions, 4 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 6cd6daefaaed..dcff82205477 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -12,11 +12,14 @@ Description:
12 then closing the file. The new policy takes effect after 12 then closing the file. The new policy takes effect after
13 the file ima/policy is closed. 13 the file ima/policy is closed.
14 14
15 IMA appraisal, if configured, uses these file measurements
16 for local measurement appraisal.
17
15 rule format: action [condition ...] 18 rule format: action [condition ...]
16 19
17 action: measure | dont_measure 20 action: measure | dont_measure | appraise | dont_appraise
18 condition:= base | lsm 21 condition:= base | lsm
19 base: [[func=] [mask=] [fsmagic=] [uid=]] 22 base: [[func=] [mask=] [fsmagic=] [uid=] [fowner]]
20 lsm: [[subj_user=] [subj_role=] [subj_type=] 23 lsm: [[subj_user=] [subj_role=] [subj_type=]
21 [obj_user=] [obj_role=] [obj_type=]] 24 [obj_user=] [obj_role=] [obj_type=]]
22 25
@@ -24,36 +27,50 @@ Description:
24 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] 27 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
25 fsmagic:= hex value 28 fsmagic:= hex value
26 uid:= decimal value 29 uid:= decimal value
30 fowner:=decimal value
27 lsm: are LSM specific 31 lsm: are LSM specific
28 32
29 default policy: 33 default policy:
30 # PROC_SUPER_MAGIC 34 # PROC_SUPER_MAGIC
31 dont_measure fsmagic=0x9fa0 35 dont_measure fsmagic=0x9fa0
36 dont_appraise fsmagic=0x9fa0
32 # SYSFS_MAGIC 37 # SYSFS_MAGIC
33 dont_measure fsmagic=0x62656572 38 dont_measure fsmagic=0x62656572
39 dont_appraise fsmagic=0x62656572
34 # DEBUGFS_MAGIC 40 # DEBUGFS_MAGIC
35 dont_measure fsmagic=0x64626720 41 dont_measure fsmagic=0x64626720
42 dont_appraise fsmagic=0x64626720
36 # TMPFS_MAGIC 43 # TMPFS_MAGIC
37 dont_measure fsmagic=0x01021994 44 dont_measure fsmagic=0x01021994
45 dont_appraise fsmagic=0x01021994
46 # RAMFS_MAGIC
47 dont_measure fsmagic=0x858458f6
48 dont_appraise fsmagic=0x858458f6
38 # SECURITYFS_MAGIC 49 # SECURITYFS_MAGIC
39 dont_measure fsmagic=0x73636673 50 dont_measure fsmagic=0x73636673
51 dont_appraise fsmagic=0x73636673
40 52
41 measure func=BPRM_CHECK 53 measure func=BPRM_CHECK
42 measure func=FILE_MMAP mask=MAY_EXEC 54 measure func=FILE_MMAP mask=MAY_EXEC
43 measure func=FILE_CHECK mask=MAY_READ uid=0 55 measure func=FILE_CHECK mask=MAY_READ uid=0
56 appraise fowner=0
44 57
45 The default policy measures all executables in bprm_check, 58 The default policy measures all executables in bprm_check,
46 all files mmapped executable in file_mmap, and all files 59 all files mmapped executable in file_mmap, and all files
47 open for read by root in do_filp_open. 60 open for read by root in do_filp_open. The default appraisal
61 policy appraises all files owned by root.
48 62
49 Examples of LSM specific definitions: 63 Examples of LSM specific definitions:
50 64
51 SELinux: 65 SELinux:
52 # SELINUX_MAGIC 66 # SELINUX_MAGIC
53 dont_measure fsmagic=0xF97CFF8C 67 dont_measure fsmagic=0xf97cff8c
68 dont_appraise fsmagic=0xf97cff8c
54 69
55 dont_measure obj_type=var_log_t 70 dont_measure obj_type=var_log_t
71 dont_appraise obj_type=var_log_t
56 dont_measure obj_type=auditd_log_t 72 dont_measure obj_type=auditd_log_t
73 dont_appraise obj_type=auditd_log_t
57 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ 74 measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
58 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ 75 measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
59 76