aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/ABI/testing/ima_policy
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/ABI/testing/ima_policy')
-rw-r--r--Documentation/ABI/testing/ima_policy61
1 files changed, 61 insertions, 0 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
new file mode 100644
index 000000000000..6434f0df012e
--- /dev/null
+++ b/Documentation/ABI/testing/ima_policy
@@ -0,0 +1,61 @@
1What: security/ima/policy
2Date: May 2008
3Contact: Mimi Zohar <zohar@us.ibm.com>
4Description:
5 The Trusted Computing Group(TCG) runtime Integrity
6 Measurement Architecture(IMA) maintains a list of hash
7 values of executables and other sensitive system files
8 loaded into the run-time of this system. At runtime,
9 the policy can be constrained based on LSM specific data.
10 Policies are loaded into the securityfs file ima/policy
11 by opening the file, writing the rules one at a time and
12 then closing the file. The new policy takes effect after
13 the file ima/policy is closed.
14
15 rule format: action [condition ...]
16
17 action: measure | dont_measure
18 condition:= base | lsm
19 base: [[func=] [mask=] [fsmagic=] [uid=]]
20 lsm: [[subj_user=] [subj_role=] [subj_type=]
21 [obj_user=] [obj_role=] [obj_type=]]
22
23 base: func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION]
24 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
25 fsmagic:= hex value
26 uid:= decimal value
27 lsm: are LSM specific
28
29 default policy:
30 # PROC_SUPER_MAGIC
31 dont_measure fsmagic=0x9fa0
32 # SYSFS_MAGIC
33 dont_measure fsmagic=0x62656572
34 # DEBUGFS_MAGIC
35 dont_measure fsmagic=0x64626720
36 # TMPFS_MAGIC
37 dont_measure fsmagic=0x01021994
38 # SECURITYFS_MAGIC
39 dont_measure fsmagic=0x73636673
40
41 measure func=BPRM_CHECK
42 measure func=FILE_MMAP mask=MAY_EXEC
43 measure func=INODE_PERM mask=MAY_READ uid=0
44
45 The default policy measures all executables in bprm_check,
46 all files mmapped executable in file_mmap, and all files
47 open for read by root in inode_permission.
48
49 Examples of LSM specific definitions:
50
51 SELinux:
52 # SELINUX_MAGIC
53 dont_measure fsmagic=0xF97CFF8C
54
55 dont_measure obj_type=var_log_t
56 dont_measure obj_type=auditd_log_t
57 measure subj_user=system_u func=INODE_PERM mask=MAY_READ
58 measure subj_role=system_r func=INODE_PERM mask=MAY_READ
59
60 Smack:
61 measure subj_user=_ func=INODE_PERM mask=MAY_READ