2009-02-04 22:07:00 +08:00
|
|
|
What: security/ima/policy
|
|
|
|
Date: May 2008
|
|
|
|
Contact: Mimi Zohar <zohar@us.ibm.com>
|
|
|
|
Description:
|
|
|
|
The Trusted Computing Group(TCG) runtime Integrity
|
|
|
|
Measurement Architecture(IMA) maintains a list of hash
|
|
|
|
values of executables and other sensitive system files
|
|
|
|
loaded into the run-time of this system. At runtime,
|
|
|
|
the policy can be constrained based on LSM specific data.
|
|
|
|
Policies are loaded into the securityfs file ima/policy
|
|
|
|
by opening the file, writing the rules one at a time and
|
|
|
|
then closing the file. The new policy takes effect after
|
|
|
|
the file ima/policy is closed.
|
|
|
|
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
IMA appraisal, if configured, uses these file measurements
|
|
|
|
for local measurement appraisal.
|
|
|
|
|
2009-02-04 22:07:00 +08:00
|
|
|
rule format: action [condition ...]
|
|
|
|
|
ima: support new "hash" and "dont_hash" policy actions
The builtin ima_appraise_tcb policy, which is specified on the boot
command line, can be replaced with a custom policy, normally early in
the boot process. Custom policies can be more restrictive in some ways,
like requiring file signatures, but can be less restrictive in other
ways, like not appraising mutable files. With a less restrictive policy
in place, files in the builtin policy might not be hashed and labeled
with a security.ima hash. On reboot, files which should be labeled in
the ima_appraise_tcb are not labeled, possibly preventing the system
from booting properly.
To resolve this problem, this patch extends the existing IMA policy
actions "measure", "dont_measure", "appraise", "dont_appraise", and
"audit" with "hash" and "dont_hash". The new "hash" action will write
the file hash as security.ima, but without requiring the file to be
appraised as well.
For example, the builtin ima_appraise_tcb policy includes the rule,
"appraise fowner=0". Adding the "hash fowner=0" rule to a custom
policy, will cause the needed file hashes to be calculated and written
as security.ima xattrs.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
2016-09-29 22:04:52 +08:00
|
|
|
action: measure | dont_measure | appraise | dont_appraise |
|
|
|
|
audit | hash | dont_hash
|
2012-06-08 18:58:49 +08:00
|
|
|
condition:= base | lsm [option]
|
2012-09-04 04:23:13 +08:00
|
|
|
base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
|
2018-01-16 00:20:36 +08:00
|
|
|
[euid=] [fowner=] [fsname=]]
|
2009-02-04 22:07:00 +08:00
|
|
|
lsm: [[subj_user=] [subj_role=] [subj_type=]
|
|
|
|
[obj_user=] [obj_role=] [obj_type=]]
|
2019-06-20 06:46:11 +08:00
|
|
|
option: [[appraise_type=]] [template=] [permit_directio]
|
2019-12-12 00:47:06 +08:00
|
|
|
[appraise_flag=] [keyrings=]
|
2018-01-09 05:36:20 +08:00
|
|
|
base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
|
2014-07-22 22:39:48 +08:00
|
|
|
[FIRMWARE_CHECK]
|
ima: support for kexec image and initramfs
Add IMA policy support for measuring/appraising the kexec image and
initramfs. Two new IMA policy identifiers KEXEC_KERNEL_CHECK and
KEXEC_INITRAMFS_CHECK are defined.
Example policy rules:
measure func=KEXEC_KERNEL_CHECK
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
measure func=KEXEC_INITRAMFS_CHECK
appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasig
Moving the enumeration to the vfs layer simplified the patches, allowing
the IMA changes, for the most part, to be separated from the other
changes. Unfortunately, passing either a kernel_read_file_id or a
ima_hooks enumeration within IMA is messy.
Option 1: duplicate kernel_read_file enumeration in ima_hooks
enum kernel_read_file_id {
...
READING_KEXEC_IMAGE,
READING_KEXEC_INITRAMFS,
READING_MAX_ID
enum ima_hooks {
...
KEXEC_KERNEL_CHECK
KEXEC_INITRAMFS_CHECK
Option 2: define ima_hooks as extension of kernel_read_file
eg: enum ima_hooks {
FILE_CHECK = READING_MAX_ID,
MMAP_CHECK,
In order to pass both kernel_read_file_id and ima_hooks values, we
would need to specify a struct containing a union.
struct caller_id {
union {
enum ima_hooks func_id;
enum kernel_read_file_id read_id;
};
};
Option 3: incorportate the ima_hooks enumeration into kernel_read_file_id,
perhaps changing the enumeration name.
For now, duplicate the new READING_KEXEC_IMAGE/INITRAMFS in the ima_hooks.
Changelog v4:
- replaced switch statement with a kernel_read_file_id to an ima_hooks
id mapping array - Dmitry
- renamed ima_hook tokens KEXEC_CHECK and INITRAMFS_CHECK to
KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK respectively - Dave Young
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Petko Manolov <petkan@mip-labs.com>
Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Cc: Dave Young <dyoung@redhat.com>
2016-01-15 09:59:14 +08:00
|
|
|
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
|
2019-12-12 00:47:03 +08:00
|
|
|
[KEXEC_CMDLINE] [KEY_CHECK]
|
2014-11-05 20:53:55 +08:00
|
|
|
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
|
|
|
|
[[^]MAY_EXEC]
|
2009-02-04 22:07:00 +08:00
|
|
|
fsmagic:= hex value
|
2012-09-04 04:23:13 +08:00
|
|
|
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
|
2009-02-04 22:07:00 +08:00
|
|
|
uid:= decimal value
|
2014-11-05 20:48:36 +08:00
|
|
|
euid:= decimal value
|
2017-06-16 05:02:52 +08:00
|
|
|
fowner:= decimal value
|
2009-02-04 22:07:00 +08:00
|
|
|
lsm: are LSM specific
|
2019-06-28 10:19:28 +08:00
|
|
|
option: appraise_type:= [imasig] [imasig|modsig]
|
2019-10-31 11:31:32 +08:00
|
|
|
appraise_flag:= [check_blacklist]
|
|
|
|
Currently, blacklist check is only for files signed with appended
|
|
|
|
signature.
|
2019-12-12 00:47:06 +08:00
|
|
|
keyrings:= list of keyrings
|
|
|
|
(eg, .builtin_trusted_keys|.ima). Only valid
|
|
|
|
when action is "measure" and func is KEY_CHECK.
|
2019-06-20 06:46:11 +08:00
|
|
|
template:= name of a defined IMA template type
|
|
|
|
(eg, ima-ng). Only valid when action is "measure".
|
2017-06-16 05:02:52 +08:00
|
|
|
pcr:= decimal value
|
2009-02-04 22:07:00 +08:00
|
|
|
|
|
|
|
default policy:
|
|
|
|
# PROC_SUPER_MAGIC
|
|
|
|
dont_measure fsmagic=0x9fa0
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
dont_appraise fsmagic=0x9fa0
|
2009-02-04 22:07:00 +08:00
|
|
|
# SYSFS_MAGIC
|
|
|
|
dont_measure fsmagic=0x62656572
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
dont_appraise fsmagic=0x62656572
|
2009-02-04 22:07:00 +08:00
|
|
|
# DEBUGFS_MAGIC
|
|
|
|
dont_measure fsmagic=0x64626720
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
dont_appraise fsmagic=0x64626720
|
2009-02-04 22:07:00 +08:00
|
|
|
# TMPFS_MAGIC
|
|
|
|
dont_measure fsmagic=0x01021994
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
dont_appraise fsmagic=0x01021994
|
|
|
|
# RAMFS_MAGIC
|
|
|
|
dont_appraise fsmagic=0x858458f6
|
2015-04-11 23:13:06 +08:00
|
|
|
# DEVPTS_SUPER_MAGIC
|
|
|
|
dont_measure fsmagic=0x1cd1
|
|
|
|
dont_appraise fsmagic=0x1cd1
|
|
|
|
# BINFMTFS_MAGIC
|
|
|
|
dont_measure fsmagic=0x42494e4d
|
|
|
|
dont_appraise fsmagic=0x42494e4d
|
2009-02-04 22:07:00 +08:00
|
|
|
# SECURITYFS_MAGIC
|
|
|
|
dont_measure fsmagic=0x73636673
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
dont_appraise fsmagic=0x73636673
|
2015-04-11 23:13:06 +08:00
|
|
|
# SELINUX_MAGIC
|
|
|
|
dont_measure fsmagic=0xf97cff8c
|
|
|
|
dont_appraise fsmagic=0xf97cff8c
|
|
|
|
# CGROUP_SUPER_MAGIC
|
|
|
|
dont_measure fsmagic=0x27e0eb
|
|
|
|
dont_appraise fsmagic=0x27e0eb
|
2015-04-22 04:54:24 +08:00
|
|
|
# NSFS_MAGIC
|
|
|
|
dont_measure fsmagic=0x6e736673
|
|
|
|
dont_appraise fsmagic=0x6e736673
|
2009-02-04 22:07:00 +08:00
|
|
|
|
|
|
|
measure func=BPRM_CHECK
|
|
|
|
measure func=FILE_MMAP mask=MAY_EXEC
|
2010-01-27 06:02:41 +08:00
|
|
|
measure func=FILE_CHECK mask=MAY_READ uid=0
|
2014-07-22 22:39:48 +08:00
|
|
|
measure func=MODULE_CHECK
|
|
|
|
measure func=FIRMWARE_CHECK
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
appraise fowner=0
|
2009-02-04 22:07:00 +08:00
|
|
|
|
|
|
|
The default policy measures all executables in bprm_check,
|
|
|
|
all files mmapped executable in file_mmap, and all files
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
open for read by root in do_filp_open. The default appraisal
|
|
|
|
policy appraises all files owned by root.
|
2009-02-04 22:07:00 +08:00
|
|
|
|
|
|
|
Examples of LSM specific definitions:
|
|
|
|
|
|
|
|
SELinux:
|
|
|
|
dont_measure obj_type=var_log_t
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
dont_appraise obj_type=var_log_t
|
2009-02-04 22:07:00 +08:00
|
|
|
dont_measure obj_type=auditd_log_t
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 11:25:48 +08:00
|
|
|
dont_appraise obj_type=auditd_log_t
|
2010-01-27 06:02:41 +08:00
|
|
|
measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
|
|
|
|
measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
|
2009-02-04 22:07:00 +08:00
|
|
|
|
|
|
|
Smack:
|
2010-01-27 06:02:41 +08:00
|
|
|
measure subj_user=_ func=FILE_CHECK mask=MAY_READ
|
2017-06-16 05:02:52 +08:00
|
|
|
|
|
|
|
Example of measure rules using alternate PCRs:
|
|
|
|
|
|
|
|
measure func=KEXEC_KERNEL_CHECK pcr=4
|
|
|
|
measure func=KEXEC_INITRAMFS_CHECK pcr=5
|
2019-06-28 10:19:28 +08:00
|
|
|
|
|
|
|
Example of appraise rule allowing modsig appended signatures:
|
|
|
|
|
|
|
|
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
|
2019-12-12 00:47:03 +08:00
|
|
|
|
|
|
|
Example of measure rule using KEY_CHECK to measure all keys:
|
|
|
|
|
|
|
|
measure func=KEY_CHECK
|
2019-12-12 00:47:06 +08:00
|
|
|
|
|
|
|
Example of measure rule using KEY_CHECK to only measure
|
|
|
|
keys added to .builtin_trusted_keys or .ima keyring:
|
|
|
|
|
|
|
|
measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
|