Documentation/ABI/testing/ima_policy

Source file repositories/reference/linux-study-clean/Documentation/ABI/testing/ima_policy

File Facts

System
Linux kernel
Corpus path
Documentation/ABI/testing/ima_policy
Extension
[no extension]
Size
6551 bytes
Lines
194
Domain
Support Tooling And Documentation
Bucket
Documentation
Inferred role
Support Tooling And Documentation: Documentation
Status
atlas-only

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

What:		/sys/kernel/security/*/ima/policy
Date:		May 2008
Contact:	Mimi Zohar <zohar@us.ibm.com>
Description:
		The Trusted Computing Group(TCG) runtime Integrity
		Measurement Architecture(IMA) maintains a list of hash
		values of executables and other sensitive system files
		loaded into the run-time of this system.  At runtime,
		the policy can be constrained based on LSM specific data.
		Policies are loaded into the securityfs file ima/policy
		by opening the file, writing the rules one at a time and
		then closing the file.  The new policy takes effect after
		the file ima/policy is closed.

		IMA appraisal, if configured, uses these file measurements
		for local measurement appraisal.

		::

		  rule format: action [condition ...]

		  action: measure | dont_measure | appraise | dont_appraise |
			  audit | dont_audit | hash | dont_hash
		  condition:= base | lsm  [option]
			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
				[fs_subtype=]
				[uid=] [euid=] [gid=] [egid=]
				[fowner=] [fgroup=]]
			lsm:	[[subj_user=] [subj_role=] [subj_type=]
				 [obj_user=] [obj_role=] [obj_type=]]
			option:	[digest_type=] [template=] [permit_directio]
				[appraise_type=] [appraise_flag=]
				[appraise_algos=] [keyrings=]
		  base:
			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
				[FIRMWARE_CHECK]
				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
				[SETXATTR_CHECK][MMAP_CHECK_REQPROT]
			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
			       [[^]MAY_EXEC]
			fsmagic:= hex value
			fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
			uid:= decimal value
			euid:= decimal value
			gid:= decimal value
			egid:= decimal value
			fowner:= decimal value
			fgroup:= decimal value
		  lsm:  are LSM specific
		  option:
			appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
			    where 'imasig' is the original or the signature
				format v2.
			    where 'modsig' is an appended signature,
			    where 'sigv3' is the signature format v3.

			appraise_flag:= [check_blacklist] (deprecated)
			Setting the check_blacklist flag is no longer necessary.
			All appraisal functions set it by default.
			digest_type:= verity
			    Require fs-verity's file digest instead of the
			    regular IMA file hash.
			keyrings:= list of keyrings
			(eg, .builtin_trusted_keys|.ima). Only valid
			when action is "measure" and func is KEY_CHECK.
			template:= name of a defined IMA template type
			(eg, ima-ng). Only valid when action is "measure".
			pcr:= decimal value
			label:= [selinux]|[kernel_info]|[data_label]

Annotation

Implementation Notes