forked from Minki/linux
d906c10d8a
The existing BPRM_CHECK functionality in IMA validates against the credentials of the existing process, not any new credentials that the child process may transition to. Add an additional CREDS_CHECK target and refactor IMA to pass the appropriate creds structure. In ima_bprm_check(), check with both the existing process credentials and the credentials that will be committed when the new process is started. This will not change behaviour unless the system policy is extended to include CREDS_CHECK targets - BPRM_CHECK will continue to check the same credentials that it did previously. After this patch, an IMA policy rule along the lines of: measure func=CREDS_CHECK subj_type=unconfined_t will trigger if a process is executed and runs as unconfined_t, ignoring the context of the parent process. This is in contrast to: measure func=BPRM_CHECK subj_type=unconfined_t which will trigger if the process that calls exec() is already executing in unconfined_t, ignoring the context that the child process executes into. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changelog: - initialize ima_creds_status
106 lines
3.4 KiB
Plaintext
106 lines
3.4 KiB
Plaintext
What: security/ima/policy
|
|
Date: May 2008
|
|
Contact: Mimi Zohar <zohar@us.ibm.com>
|
|
Description:
|
|
The Trusted Computing Group(TCG) runtime Integrity
|
|
Measurement Architecture(IMA) maintains a list of hash
|
|
values of executables and other sensitive system files
|
|
loaded into the run-time of this system. At runtime,
|
|
the policy can be constrained based on LSM specific data.
|
|
Policies are loaded into the securityfs file ima/policy
|
|
by opening the file, writing the rules one at a time and
|
|
then closing the file. The new policy takes effect after
|
|
the file ima/policy is closed.
|
|
|
|
IMA appraisal, if configured, uses these file measurements
|
|
for local measurement appraisal.
|
|
|
|
rule format: action [condition ...]
|
|
|
|
action: measure | dont_measure | appraise | dont_appraise |
|
|
audit | hash | dont_hash
|
|
condition:= base | lsm [option]
|
|
base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
|
|
[euid=] [fowner=]]
|
|
lsm: [[subj_user=] [subj_role=] [subj_type=]
|
|
[obj_user=] [obj_role=] [obj_type=]]
|
|
option: [[appraise_type=]] [permit_directio]
|
|
|
|
base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
|
|
[FIRMWARE_CHECK]
|
|
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
|
|
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
|
|
[[^]MAY_EXEC]
|
|
fsmagic:= hex value
|
|
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
|
|
uid:= decimal value
|
|
euid:= decimal value
|
|
fowner:= decimal value
|
|
lsm: are LSM specific
|
|
option: appraise_type:= [imasig]
|
|
pcr:= decimal value
|
|
|
|
default policy:
|
|
# PROC_SUPER_MAGIC
|
|
dont_measure fsmagic=0x9fa0
|
|
dont_appraise fsmagic=0x9fa0
|
|
# SYSFS_MAGIC
|
|
dont_measure fsmagic=0x62656572
|
|
dont_appraise fsmagic=0x62656572
|
|
# DEBUGFS_MAGIC
|
|
dont_measure fsmagic=0x64626720
|
|
dont_appraise fsmagic=0x64626720
|
|
# TMPFS_MAGIC
|
|
dont_measure fsmagic=0x01021994
|
|
dont_appraise fsmagic=0x01021994
|
|
# RAMFS_MAGIC
|
|
dont_appraise fsmagic=0x858458f6
|
|
# DEVPTS_SUPER_MAGIC
|
|
dont_measure fsmagic=0x1cd1
|
|
dont_appraise fsmagic=0x1cd1
|
|
# BINFMTFS_MAGIC
|
|
dont_measure fsmagic=0x42494e4d
|
|
dont_appraise fsmagic=0x42494e4d
|
|
# SECURITYFS_MAGIC
|
|
dont_measure fsmagic=0x73636673
|
|
dont_appraise fsmagic=0x73636673
|
|
# SELINUX_MAGIC
|
|
dont_measure fsmagic=0xf97cff8c
|
|
dont_appraise fsmagic=0xf97cff8c
|
|
# CGROUP_SUPER_MAGIC
|
|
dont_measure fsmagic=0x27e0eb
|
|
dont_appraise fsmagic=0x27e0eb
|
|
# NSFS_MAGIC
|
|
dont_measure fsmagic=0x6e736673
|
|
dont_appraise fsmagic=0x6e736673
|
|
|
|
measure func=BPRM_CHECK
|
|
measure func=FILE_MMAP mask=MAY_EXEC
|
|
measure func=FILE_CHECK mask=MAY_READ uid=0
|
|
measure func=MODULE_CHECK
|
|
measure func=FIRMWARE_CHECK
|
|
appraise fowner=0
|
|
|
|
The default policy measures all executables in bprm_check,
|
|
all files mmapped executable in file_mmap, and all files
|
|
open for read by root in do_filp_open. The default appraisal
|
|
policy appraises all files owned by root.
|
|
|
|
Examples of LSM specific definitions:
|
|
|
|
SELinux:
|
|
dont_measure obj_type=var_log_t
|
|
dont_appraise obj_type=var_log_t
|
|
dont_measure obj_type=auditd_log_t
|
|
dont_appraise obj_type=auditd_log_t
|
|
measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
|
|
measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
|
|
|
|
Smack:
|
|
measure subj_user=_ func=FILE_CHECK mask=MAY_READ
|
|
|
|
Example of measure rules using alternate PCRs:
|
|
|
|
measure func=KEXEC_KERNEL_CHECK pcr=4
|
|
measure func=KEXEC_INITRAMFS_CHECK pcr=5
|