4958db3245
Commit 98de59bfe4b2f ("take calculation of final prot in
security_mmap_file() into a helper") caused ima_file_mmap() to receive the
protections requested by the application and not those applied by the
kernel.
After restoring the original MMAP_CHECK behavior, existing attestation
servers might be broken due to not being ready to handle new entries
(previously missing) in the IMA measurement list.
Restore the original correct MMAP_CHECK behavior, instead of keeping the
current buggy one and introducing a new hook with the correct behavior.
Otherwise, there would have been the risk of IMA users not noticing the
problem at all, as they would actively have to update the IMA policy, to
switch to the correct behavior.
Also, introduce the new MMAP_CHECK_REQPROT hook to keep the current
behavior, so that IMA users could easily fix a broken attestation server,
although this approach is discouraged due to potentially missing
measurements.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
191 lines
6.3 KiB
Plaintext
191 lines
6.3 KiB
Plaintext
What: /sys/kernel/security/*/ima/policy
|
|
Date: May 2008
|
|
Contact: Mimi Zohar <zohar@us.ibm.com>
|
|
Description:
|
|
The Trusted Computing Group(TCG) runtime Integrity
|
|
Measurement Architecture(IMA) maintains a list of hash
|
|
values of executables and other sensitive system files
|
|
loaded into the run-time of this system. At runtime,
|
|
the policy can be constrained based on LSM specific data.
|
|
Policies are loaded into the securityfs file ima/policy
|
|
by opening the file, writing the rules one at a time and
|
|
then closing the file. The new policy takes effect after
|
|
the file ima/policy is closed.
|
|
|
|
IMA appraisal, if configured, uses these file measurements
|
|
for local measurement appraisal.
|
|
|
|
::
|
|
|
|
rule format: action [condition ...]
|
|
|
|
action: measure | dont_measure | appraise | dont_appraise |
|
|
audit | hash | dont_hash
|
|
condition:= base | lsm [option]
|
|
base: [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
|
|
[uid=] [euid=] [gid=] [egid=]
|
|
[fowner=] [fgroup=]]
|
|
lsm: [[subj_user=] [subj_role=] [subj_type=]
|
|
[obj_user=] [obj_role=] [obj_type=]]
|
|
option: [digest_type=] [template=] [permit_directio]
|
|
[appraise_type=] [appraise_flag=]
|
|
[appraise_algos=] [keyrings=]
|
|
base:
|
|
func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
|
|
[FIRMWARE_CHECK]
|
|
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
|
|
[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
|
|
[SETXATTR_CHECK][MMAP_CHECK_REQPROT]
|
|
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
|
|
[[^]MAY_EXEC]
|
|
fsmagic:= hex value
|
|
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
|
|
uid:= decimal value
|
|
euid:= decimal value
|
|
gid:= decimal value
|
|
egid:= decimal value
|
|
fowner:= decimal value
|
|
fgroup:= decimal value
|
|
lsm: are LSM specific
|
|
option:
|
|
appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
|
|
where 'imasig' is the original or the signature
|
|
format v2.
|
|
where 'modsig' is an appended signature,
|
|
where 'sigv3' is the signature format v3. (Currently
|
|
limited to fsverity digest based signatures
|
|
stored in security.ima xattr. Requires
|
|
specifying "digest_type=verity" first.)
|
|
|
|
appraise_flag:= [check_blacklist]
|
|
Currently, blacklist check is only for files signed with appended
|
|
signature.
|
|
digest_type:= verity
|
|
Require fs-verity's file digest instead of the
|
|
regular IMA file hash.
|
|
keyrings:= list of keyrings
|
|
(eg, .builtin_trusted_keys|.ima). Only valid
|
|
when action is "measure" and func is KEY_CHECK.
|
|
template:= name of a defined IMA template type
|
|
(eg, ima-ng). Only valid when action is "measure".
|
|
pcr:= decimal value
|
|
label:= [selinux]|[kernel_info]|[data_label]
|
|
data_label:= a unique string used for grouping and limiting critical data.
|
|
For example, "selinux" to measure critical data for SELinux.
|
|
appraise_algos:= comma-separated list of hash algorithms
|
|
For example, "sha256,sha512" to only accept to appraise
|
|
files where the security.ima xattr was hashed with one
|
|
of these two algorithms.
|
|
|
|
default policy:
|
|
# PROC_SUPER_MAGIC
|
|
dont_measure fsmagic=0x9fa0
|
|
dont_appraise fsmagic=0x9fa0
|
|
# SYSFS_MAGIC
|
|
dont_measure fsmagic=0x62656572
|
|
dont_appraise fsmagic=0x62656572
|
|
# DEBUGFS_MAGIC
|
|
dont_measure fsmagic=0x64626720
|
|
dont_appraise fsmagic=0x64626720
|
|
# TMPFS_MAGIC
|
|
dont_measure fsmagic=0x01021994
|
|
dont_appraise fsmagic=0x01021994
|
|
# RAMFS_MAGIC
|
|
dont_appraise fsmagic=0x858458f6
|
|
# DEVPTS_SUPER_MAGIC
|
|
dont_measure fsmagic=0x1cd1
|
|
dont_appraise fsmagic=0x1cd1
|
|
# BINFMTFS_MAGIC
|
|
dont_measure fsmagic=0x42494e4d
|
|
dont_appraise fsmagic=0x42494e4d
|
|
# SECURITYFS_MAGIC
|
|
dont_measure fsmagic=0x73636673
|
|
dont_appraise fsmagic=0x73636673
|
|
# SELINUX_MAGIC
|
|
dont_measure fsmagic=0xf97cff8c
|
|
dont_appraise fsmagic=0xf97cff8c
|
|
# CGROUP_SUPER_MAGIC
|
|
dont_measure fsmagic=0x27e0eb
|
|
dont_appraise fsmagic=0x27e0eb
|
|
# NSFS_MAGIC
|
|
dont_measure fsmagic=0x6e736673
|
|
dont_appraise fsmagic=0x6e736673
|
|
|
|
measure func=BPRM_CHECK
|
|
measure func=FILE_MMAP mask=MAY_EXEC
|
|
measure func=FILE_CHECK mask=MAY_READ uid=0
|
|
measure func=MODULE_CHECK
|
|
measure func=FIRMWARE_CHECK
|
|
appraise fowner=0
|
|
|
|
The default policy measures all executables in bprm_check,
|
|
all files mmapped executable in file_mmap, and all files
|
|
open for read by root in do_filp_open. The default appraisal
|
|
policy appraises all files owned by root.
|
|
|
|
Examples of LSM specific definitions:
|
|
|
|
SELinux::
|
|
|
|
dont_measure obj_type=var_log_t
|
|
dont_appraise obj_type=var_log_t
|
|
dont_measure obj_type=auditd_log_t
|
|
dont_appraise obj_type=auditd_log_t
|
|
measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
|
|
measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
|
|
|
|
Smack::
|
|
|
|
measure subj_user=_ func=FILE_CHECK mask=MAY_READ
|
|
|
|
Example of measure rules using alternate PCRs::
|
|
|
|
measure func=KEXEC_KERNEL_CHECK pcr=4
|
|
measure func=KEXEC_INITRAMFS_CHECK pcr=5
|
|
|
|
Example of appraise rule allowing modsig appended signatures:
|
|
|
|
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
|
|
|
|
Example of measure rule using KEY_CHECK to measure all keys:
|
|
|
|
measure func=KEY_CHECK
|
|
|
|
Example of measure rule using KEY_CHECK to only measure
|
|
keys added to .builtin_trusted_keys or .ima keyring:
|
|
|
|
measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
|
|
|
|
Example of the special SETXATTR_CHECK appraise rule, that
|
|
restricts the hash algorithms allowed when writing to the
|
|
security.ima xattr of a file:
|
|
|
|
appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
|
|
|
|
Example of a 'measure' rule requiring fs-verity's digests
|
|
with indication of type of digest in the measurement list.
|
|
|
|
measure func=FILE_CHECK digest_type=verity \
|
|
template=ima-ngv2
|
|
|
|
Example of 'measure' and 'appraise' rules requiring fs-verity
|
|
signatures (format version 3) stored in security.ima xattr.
|
|
|
|
The 'measure' rule specifies the 'ima-sigv3' template option,
|
|
which includes the indication of type of digest and the file
|
|
signature in the measurement list.
|
|
|
|
measure func=BPRM_CHECK digest_type=verity \
|
|
template=ima-sigv3
|
|
|
|
|
|
The 'appraise' rule specifies the type and signature format
|
|
version (sigv3) required.
|
|
|
|
appraise func=BPRM_CHECK digest_type=verity \
|
|
appraise_type=sigv3
|
|
|
|
All of these policy rules could, for example, be constrained
|
|
either based on a filesystem's UUID (fsuuid) or based on LSM
|
|
labels.
|