2021-09-16 08:59:31 +00:00
|
|
|
What: /sys/kernel/security/*/ima/policy
|
2009-02-04 14:07:00 +00:00
|
|
|
Date: May 2008
|
|
|
|
|
Contact: Mimi Zohar <zohar@us.ibm.com>
|
|
|
|
|
Description:
|
|
|
|
|
The Trusted Computing Group(TCG) runtime Integrity
|
|
|
|
|
Measurement Architecture(IMA) maintains a list of hash
|
|
|
|
|
values of executables and other sensitive system files
|
|
|
|
|
loaded into the run-time of this system. At runtime,
|
|
|
|
|
the policy can be constrained based on LSM specific data.
|
|
|
|
|
Policies are loaded into the securityfs file ima/policy
|
|
|
|
|
by opening the file, writing the rules one at a time and
|
|
|
|
|
then closing the file. The new policy takes effect after
|
|
|
|
|
the file ima/policy is closed.
|
|
|
|
|
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
IMA appraisal, if configured, uses these file measurements
|
|
|
|
|
for local measurement appraisal.
|
|
|
|
|
|
2020-10-30 07:40:39 +00:00
|
|
|
::
|
2009-02-04 14:07:00 +00:00
|
|
|
|
2020-10-30 07:40:39 +00:00
|
|
|
rule format: action [condition ...]
|
|
|
|
|
|
|
|
|
|
action: measure | dont_measure | appraise | dont_appraise |
|
|
|
|
|
audit | hash | dont_hash
|
|
|
|
|
condition:= base | lsm [option]
|
2021-10-07 20:03:02 +00:00
|
|
|
base: [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
|
|
|
|
|
[uid=] [euid=] [gid=] [egid=]
|
|
|
|
|
[fowner=] [fgroup=]]
|
2009-02-04 14:07:00 +00:00
|
|
|
lsm: [[subj_user=] [subj_role=] [subj_type=]
|
|
|
|
|
[obj_user=] [obj_role=] [obj_type=]]
|
2021-12-23 17:29:56 +00:00
|
|
|
option: [digest_type=] [template=] [permit_directio]
|
|
|
|
|
[appraise_type=] [appraise_flag=]
|
|
|
|
|
[appraise_algos=] [keyrings=]
|
2020-10-30 07:40:39 +00:00
|
|
|
base:
|
2021-02-15 10:20:29 +00:00
|
|
|
func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
|
2021-08-16 08:11:01 +00:00
|
|
|
[FIRMWARE_CHECK]
|
ima: support for kexec image and initramfs
Add IMA policy support for measuring/appraising the kexec image and
initramfs. Two new IMA policy identifiers KEXEC_KERNEL_CHECK and
KEXEC_INITRAMFS_CHECK are defined.
Example policy rules:
measure func=KEXEC_KERNEL_CHECK
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
measure func=KEXEC_INITRAMFS_CHECK
appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasig
Moving the enumeration to the vfs layer simplified the patches, allowing
the IMA changes, for the most part, to be separated from the other
changes. Unfortunately, passing either a kernel_read_file_id or a
ima_hooks enumeration within IMA is messy.
Option 1: duplicate kernel_read_file enumeration in ima_hooks
enum kernel_read_file_id {
...
READING_KEXEC_IMAGE,
READING_KEXEC_INITRAMFS,
READING_MAX_ID
enum ima_hooks {
...
KEXEC_KERNEL_CHECK
KEXEC_INITRAMFS_CHECK
Option 2: define ima_hooks as extension of kernel_read_file
eg: enum ima_hooks {
FILE_CHECK = READING_MAX_ID,
MMAP_CHECK,
In order to pass both kernel_read_file_id and ima_hooks values, we
would need to specify a struct containing a union.
struct caller_id {
union {
enum ima_hooks func_id;
enum kernel_read_file_id read_id;
};
};
Option 3: incorportate the ima_hooks enumeration into kernel_read_file_id,
perhaps changing the enumeration name.
For now, duplicate the new READING_KEXEC_IMAGE/INITRAMFS in the ima_hooks.
Changelog v4:
- replaced switch statement with a kernel_read_file_id to an ima_hooks
id mapping array - Dmitry
- renamed ima_hook tokens KEXEC_CHECK and INITRAMFS_CHECK to
KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK respectively - Dave Young
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Petko Manolov <petkan@mip-labs.com>
Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Cc: Dave Young <dyoung@redhat.com>
2016-01-15 01:59:14 +00:00
|
|
|
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
|
2021-01-08 04:07:04 +00:00
|
|
|
[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
|
2023-01-31 17:42:44 +00:00
|
|
|
[SETXATTR_CHECK][MMAP_CHECK_REQPROT]
|
2014-11-05 12:53:55 +00:00
|
|
|
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
|
|
|
|
|
[[^]MAY_EXEC]
|
2009-02-04 14:07:00 +00:00
|
|
|
fsmagic:= hex value
|
2012-09-03 20:23:13 +00:00
|
|
|
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
|
2009-02-04 14:07:00 +00:00
|
|
|
uid:= decimal value
|
2014-11-05 12:48:36 +00:00
|
|
|
euid:= decimal value
|
2021-10-07 20:03:02 +00:00
|
|
|
gid:= decimal value
|
|
|
|
|
egid:= decimal value
|
2017-06-15 21:02:52 +00:00
|
|
|
fowner:= decimal value
|
2021-10-07 20:03:02 +00:00
|
|
|
fgroup:= decimal value
|
2020-10-30 07:40:39 +00:00
|
|
|
lsm: are LSM specific
|
|
|
|
|
option:
|
ima: support fs-verity file digest based version 3 signatures
IMA may verify a file's integrity against a "good" value stored in the
'security.ima' xattr or as an appended signature, based on policy. When
the "good value" is stored in the xattr, the xattr may contain a file
hash or signature. In either case, the "good" value is preceded by a
header. The first byte of the xattr header indicates the type of data
- hash, signature - stored in the xattr. To support storing fs-verity
signatures in the 'security.ima' xattr requires further differentiating
the fs-verity signature from the existing IMA signature.
In addition the signatures stored in 'security.ima' xattr, need to be
disambiguated. Instead of directly signing the fs-verity digest, a new
signature format version 3 is defined as the hash of the ima_file_id
structure, which identifies the type of signature and the digest.
The IMA policy defines "which" files are to be measured, verified, and/or
audited. For those files being verified, the policy rules indicate "how"
the file should be verified. For example to require a file be signed,
the appraise policy rule must include the 'appraise_type' option.
appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
where 'imasig' is the original or signature format v2 (default),
where 'modsig' is an appended signature,
where 'sigv3' is the signature format v3.
The policy rule must also indicate the type of digest, if not the IMA
default, by first specifying the digest type:
digest_type:= [verity]
The following policy rule requires fsverity signatures. The rule may be
constrained, for example based on a fsuuid or LSM label.
appraise func=BPRM_CHECK digest_type=verity appraise_type=sigv3
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2021-11-24 15:56:33 +00:00
|
|
|
appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
|
|
|
|
|
where 'imasig' is the original or the signature
|
|
|
|
|
format v2.
|
|
|
|
|
where 'modsig' is an appended signature,
|
|
|
|
|
where 'sigv3' is the signature format v3. (Currently
|
|
|
|
|
limited to fsverity digest based signatures
|
|
|
|
|
stored in security.ima xattr. Requires
|
|
|
|
|
specifying "digest_type=verity" first.)
|
|
|
|
|
|
2023-07-26 21:17:25 +00:00
|
|
|
appraise_flag:= [check_blacklist] (deprecated)
|
|
|
|
|
Setting the check_blacklist flag is no longer necessary.
|
|
|
|
|
All appraisal functions set it by default.
|
2021-12-23 17:29:56 +00:00
|
|
|
digest_type:= verity
|
|
|
|
|
Require fs-verity's file digest instead of the
|
|
|
|
|
regular IMA file hash.
|
2019-12-11 16:47:06 +00:00
|
|
|
keyrings:= list of keyrings
|
|
|
|
|
(eg, .builtin_trusted_keys|.ima). Only valid
|
|
|
|
|
when action is "measure" and func is KEY_CHECK.
|
2019-06-19 22:46:11 +00:00
|
|
|
template:= name of a defined IMA template type
|
|
|
|
|
(eg, ima-ng). Only valid when action is "measure".
|
2017-06-15 21:02:52 +00:00
|
|
|
pcr:= decimal value
|
IMA: Measure kernel version in early boot
The integrity of a kernel can be verified by the boot loader on cold
boot, and during kexec, by the current running kernel, before it is
loaded. However, it is still possible that the new kernel being
loaded is older than the current kernel, and/or has known
vulnerabilities. Therefore, it is imperative that an attestation
service be able to verify the version of the kernel being loaded on
the client, from cold boot and subsequent kexec system calls,
ensuring that only kernels with versions known to be good are loaded.
Measure the kernel version using ima_measure_critical_data() early on
in the boot sequence, reducing the chances of known kernel
vulnerabilities being exploited. With IMA being part of the kernel,
this overall approach makes the measurement itself more trustworthy.
To enable measuring the kernel version "ima_policy=critical_data"
needs to be added to the kernel command line arguments.
For example,
BOOT_IMAGE=/boot/vmlinuz-5.11.0-rc3+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset ima_policy=critical_data
If runtime measurement of the kernel version is ever needed, the
following should be added to /etc/ima/ima-policy:
measure func=CRITICAL_DATA label=kernel_info
To extract the measured data after boot, the following command can be used:
grep -m 1 "kernel_version" \
/sys/kernel/security/integrity/ima/ascii_runtime_measurements
Sample output from the command above:
10 a8297d408e9d5155728b619761d0dd4cedf5ef5f ima-buf
sha256:5660e19945be0119bc19cbbf8d9c33a09935ab5d30dad48aa11f879c67d70988
kernel_version 352e31312e302d7263332d31363138372d676564623634666537383234342d6469727479
The above hex-ascii string corresponds to the kernel version
(e.g. xxd -r -p):
5.11.0-rc3-16187-gedb64fe78244-dirty
Signed-off-by: Raphael Gianotti <raphgi@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2021-01-26 19:14:53 +00:00
|
|
|
label:= [selinux]|[kernel_info]|[data_label]
|
2021-01-08 04:07:05 +00:00
|
|
|
data_label:= a unique string used for grouping and limiting critical data.
|
2021-01-14 19:15:22 +00:00
|
|
|
For example, "selinux" to measure critical data for SELinux.
|
2021-08-16 08:11:00 +00:00
|
|
|
appraise_algos:= comma-separated list of hash algorithms
|
|
|
|
|
For example, "sha256,sha512" to only accept to appraise
|
|
|
|
|
files where the security.ima xattr was hashed with one
|
|
|
|
|
of these two algorithms.
|
2009-02-04 14:07:00 +00:00
|
|
|
|
2020-10-30 07:40:39 +00:00
|
|
|
default policy:
|
2009-02-04 14:07:00 +00:00
|
|
|
# PROC_SUPER_MAGIC
|
|
|
|
|
dont_measure fsmagic=0x9fa0
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
dont_appraise fsmagic=0x9fa0
|
2009-02-04 14:07:00 +00:00
|
|
|
# SYSFS_MAGIC
|
|
|
|
|
dont_measure fsmagic=0x62656572
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
dont_appraise fsmagic=0x62656572
|
2009-02-04 14:07:00 +00:00
|
|
|
# DEBUGFS_MAGIC
|
|
|
|
|
dont_measure fsmagic=0x64626720
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
dont_appraise fsmagic=0x64626720
|
2009-02-04 14:07:00 +00:00
|
|
|
# TMPFS_MAGIC
|
|
|
|
|
dont_measure fsmagic=0x01021994
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
dont_appraise fsmagic=0x01021994
|
|
|
|
|
# RAMFS_MAGIC
|
|
|
|
|
dont_appraise fsmagic=0x858458f6
|
2015-04-11 15:13:06 +00:00
|
|
|
# DEVPTS_SUPER_MAGIC
|
|
|
|
|
dont_measure fsmagic=0x1cd1
|
|
|
|
|
dont_appraise fsmagic=0x1cd1
|
|
|
|
|
# BINFMTFS_MAGIC
|
|
|
|
|
dont_measure fsmagic=0x42494e4d
|
|
|
|
|
dont_appraise fsmagic=0x42494e4d
|
2009-02-04 14:07:00 +00:00
|
|
|
# SECURITYFS_MAGIC
|
|
|
|
|
dont_measure fsmagic=0x73636673
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
dont_appraise fsmagic=0x73636673
|
2015-04-11 15:13:06 +00:00
|
|
|
# SELINUX_MAGIC
|
|
|
|
|
dont_measure fsmagic=0xf97cff8c
|
|
|
|
|
dont_appraise fsmagic=0xf97cff8c
|
|
|
|
|
# CGROUP_SUPER_MAGIC
|
|
|
|
|
dont_measure fsmagic=0x27e0eb
|
|
|
|
|
dont_appraise fsmagic=0x27e0eb
|
2015-04-21 20:54:24 +00:00
|
|
|
# NSFS_MAGIC
|
|
|
|
|
dont_measure fsmagic=0x6e736673
|
|
|
|
|
dont_appraise fsmagic=0x6e736673
|
2009-02-04 14:07:00 +00:00
|
|
|
|
|
|
|
|
measure func=BPRM_CHECK
|
|
|
|
|
measure func=FILE_MMAP mask=MAY_EXEC
|
2010-01-26 22:02:41 +00:00
|
|
|
measure func=FILE_CHECK mask=MAY_READ uid=0
|
2014-07-22 14:39:48 +00:00
|
|
|
measure func=MODULE_CHECK
|
|
|
|
|
measure func=FIRMWARE_CHECK
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
appraise fowner=0
|
2009-02-04 14:07:00 +00:00
|
|
|
|
|
|
|
|
The default policy measures all executables in bprm_check,
|
|
|
|
|
all files mmapped executable in file_mmap, and all files
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
open for read by root in do_filp_open. The default appraisal
|
|
|
|
|
policy appraises all files owned by root.
|
2009-02-04 14:07:00 +00:00
|
|
|
|
|
|
|
|
Examples of LSM specific definitions:
|
|
|
|
|
|
2020-10-30 07:40:39 +00:00
|
|
|
SELinux::
|
|
|
|
|
|
2009-02-04 14:07:00 +00:00
|
|
|
dont_measure obj_type=var_log_t
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
dont_appraise obj_type=var_log_t
|
2009-02-04 14:07:00 +00:00
|
|
|
dont_measure obj_type=auditd_log_t
|
ima: add appraise action keywords and default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.
This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.
Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroups
Changelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)
ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.
The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.
With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.
Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2011-03-10 03:25:48 +00:00
|
|
|
dont_appraise obj_type=auditd_log_t
|
2010-01-26 22:02:41 +00:00
|
|
|
measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
|
|
|
|
|
measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
|
2009-02-04 14:07:00 +00:00
|
|
|
|
2020-10-30 07:40:39 +00:00
|
|
|
Smack::
|
|
|
|
|
|
2010-01-26 22:02:41 +00:00
|
|
|
measure subj_user=_ func=FILE_CHECK mask=MAY_READ
|
2017-06-15 21:02:52 +00:00
|
|
|
|
2020-10-30 07:40:39 +00:00
|
|
|
Example of measure rules using alternate PCRs::
|
2017-06-15 21:02:52 +00:00
|
|
|
|
|
|
|
|
measure func=KEXEC_KERNEL_CHECK pcr=4
|
|
|
|
|
measure func=KEXEC_INITRAMFS_CHECK pcr=5
|
2019-06-28 02:19:28 +00:00
|
|
|
|
|
|
|
|
Example of appraise rule allowing modsig appended signatures:
|
|
|
|
|
|
|
|
|
|
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
|
2019-12-11 16:47:03 +00:00
|
|
|
|
|
|
|
|
Example of measure rule using KEY_CHECK to measure all keys:
|
|
|
|
|
|
|
|
|
|
measure func=KEY_CHECK
|
2019-12-11 16:47:06 +00:00
|
|
|
|
|
|
|
|
Example of measure rule using KEY_CHECK to only measure
|
|
|
|
|
keys added to .builtin_trusted_keys or .ima keyring:
|
|
|
|
|
|
|
|
|
|
measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima
|
2021-08-16 08:11:01 +00:00
|
|
|
|
|
|
|
|
Example of the special SETXATTR_CHECK appraise rule, that
|
|
|
|
|
restricts the hash algorithms allowed when writing to the
|
|
|
|
|
security.ima xattr of a file:
|
|
|
|
|
|
|
|
|
|
appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
|
2021-12-23 17:29:56 +00:00
|
|
|
|
|
|
|
|
Example of a 'measure' rule requiring fs-verity's digests
|
|
|
|
|
with indication of type of digest in the measurement list.
|
|
|
|
|
|
|
|
|
|
measure func=FILE_CHECK digest_type=verity \
|
|
|
|
|
template=ima-ngv2
|
ima: support fs-verity file digest based version 3 signatures
IMA may verify a file's integrity against a "good" value stored in the
'security.ima' xattr or as an appended signature, based on policy. When
the "good value" is stored in the xattr, the xattr may contain a file
hash or signature. In either case, the "good" value is preceded by a
header. The first byte of the xattr header indicates the type of data
- hash, signature - stored in the xattr. To support storing fs-verity
signatures in the 'security.ima' xattr requires further differentiating
the fs-verity signature from the existing IMA signature.
In addition the signatures stored in 'security.ima' xattr, need to be
disambiguated. Instead of directly signing the fs-verity digest, a new
signature format version 3 is defined as the hash of the ima_file_id
structure, which identifies the type of signature and the digest.
The IMA policy defines "which" files are to be measured, verified, and/or
audited. For those files being verified, the policy rules indicate "how"
the file should be verified. For example to require a file be signed,
the appraise policy rule must include the 'appraise_type' option.
appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
where 'imasig' is the original or signature format v2 (default),
where 'modsig' is an appended signature,
where 'sigv3' is the signature format v3.
The policy rule must also indicate the type of digest, if not the IMA
default, by first specifying the digest type:
digest_type:= [verity]
The following policy rule requires fsverity signatures. The rule may be
constrained, for example based on a fsuuid or LSM label.
appraise func=BPRM_CHECK digest_type=verity appraise_type=sigv3
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2021-11-24 15:56:33 +00:00
|
|
|
|
|
|
|
|
Example of 'measure' and 'appraise' rules requiring fs-verity
|
|
|
|
|
signatures (format version 3) stored in security.ima xattr.
|
|
|
|
|
|
|
|
|
|
The 'measure' rule specifies the 'ima-sigv3' template option,
|
|
|
|
|
which includes the indication of type of digest and the file
|
|
|
|
|
signature in the measurement list.
|
|
|
|
|
|
|
|
|
|
measure func=BPRM_CHECK digest_type=verity \
|
|
|
|
|
template=ima-sigv3
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The 'appraise' rule specifies the type and signature format
|
|
|
|
|
version (sigv3) required.
|
|
|
|
|
|
|
|
|
|
appraise func=BPRM_CHECK digest_type=verity \
|
|
|
|
|
appraise_type=sigv3
|
|
|
|
|
|
|
|
|
|
All of these policy rules could, for example, be constrained
|
|
|
|
|
either based on a filesystem's UUID (fsuuid) or based on LSM
|
|
|
|
|
labels.
|