85865c1fa1
The IMA policy permits specifying rules to enable or disable measurement/appraisal/audit based on the file system magic number. If, for example, the policy contains an ext4 measurement rule, the rule is enabled for all ext4 partitions. Sometimes it might be necessary to enable measurement/appraisal/audit only for one partition and disable it for another partition of the same type. With the existing IMA policy syntax, this can not be done. This patch provides support for IMA policy rules to specify the file system by its UUID (eg. fsuuid=397449cd-687d-4145-8698-7fed4a3e0363). For partitions not being appraised, it might be a good idea to mount file systems with the 'noexec' option to prevent executing non-verified binaries. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
84 lines
2.7 KiB
Plaintext
84 lines
2.7 KiB
Plaintext
What: security/ima/policy
|
|
Date: May 2008
|
|
Contact: Mimi Zohar <zohar@us.ibm.com>
|
|
Description:
|
|
The Trusted Computing Group(TCG) runtime Integrity
|
|
Measurement Architecture(IMA) maintains a list of hash
|
|
values of executables and other sensitive system files
|
|
loaded into the run-time of this system. At runtime,
|
|
the policy can be constrained based on LSM specific data.
|
|
Policies are loaded into the securityfs file ima/policy
|
|
by opening the file, writing the rules one at a time and
|
|
then closing the file. The new policy takes effect after
|
|
the file ima/policy is closed.
|
|
|
|
IMA appraisal, if configured, uses these file measurements
|
|
for local measurement appraisal.
|
|
|
|
rule format: action [condition ...]
|
|
|
|
action: measure | dont_measure | appraise | dont_appraise | audit
|
|
condition:= base | lsm [option]
|
|
base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
|
|
[fowner]]
|
|
lsm: [[subj_user=] [subj_role=] [subj_type=]
|
|
[obj_user=] [obj_role=] [obj_type=]]
|
|
option: [[appraise_type=]]
|
|
|
|
base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
|
|
mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
|
|
fsmagic:= hex value
|
|
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
|
|
uid:= decimal value
|
|
fowner:=decimal value
|
|
lsm: are LSM specific
|
|
option: appraise_type:= [imasig]
|
|
|
|
default policy:
|
|
# PROC_SUPER_MAGIC
|
|
dont_measure fsmagic=0x9fa0
|
|
dont_appraise fsmagic=0x9fa0
|
|
# SYSFS_MAGIC
|
|
dont_measure fsmagic=0x62656572
|
|
dont_appraise fsmagic=0x62656572
|
|
# DEBUGFS_MAGIC
|
|
dont_measure fsmagic=0x64626720
|
|
dont_appraise fsmagic=0x64626720
|
|
# TMPFS_MAGIC
|
|
dont_measure fsmagic=0x01021994
|
|
dont_appraise fsmagic=0x01021994
|
|
# RAMFS_MAGIC
|
|
dont_measure fsmagic=0x858458f6
|
|
dont_appraise fsmagic=0x858458f6
|
|
# SECURITYFS_MAGIC
|
|
dont_measure fsmagic=0x73636673
|
|
dont_appraise fsmagic=0x73636673
|
|
|
|
measure func=BPRM_CHECK
|
|
measure func=FILE_MMAP mask=MAY_EXEC
|
|
measure func=FILE_CHECK mask=MAY_READ uid=0
|
|
measure func=MODULE_CHECK uid=0
|
|
appraise fowner=0
|
|
|
|
The default policy measures all executables in bprm_check,
|
|
all files mmapped executable in file_mmap, and all files
|
|
open for read by root in do_filp_open. The default appraisal
|
|
policy appraises all files owned by root.
|
|
|
|
Examples of LSM specific definitions:
|
|
|
|
SELinux:
|
|
# SELINUX_MAGIC
|
|
dont_measure fsmagic=0xf97cff8c
|
|
dont_appraise fsmagic=0xf97cff8c
|
|
|
|
dont_measure obj_type=var_log_t
|
|
dont_appraise obj_type=var_log_t
|
|
dont_measure obj_type=auditd_log_t
|
|
dont_appraise obj_type=auditd_log_t
|
|
measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
|
|
measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
|
|
|
|
Smack:
|
|
measure subj_user=_ func=FILE_CHECK mask=MAY_READ
|