forked from ~ljy/RK356X_SDK_RELEASE
blame | history | patch | commit | commitdiff
hc
2024-10-12 a5969cabbb4660eab42b6ef0412cbbd1200cf14d 
 kernel/Documentation/ABI/testing/ima_policy
....@@ -15,20 +15,24 @@
1515 		IMA appraisal, if configured, uses these file measurements
1616 		for local measurement appraisal.
1717 
18
-		rule format: action [condition ...]
18
+		::
1919 
20
-		action: measure | dont_measure | appraise | dont_appraise |
21
-			audit | hash | dont_hash
22
-		condition:= base | lsm  [option]
20
+		  rule format: action [condition ...]
21
+
22
+		  action: measure | dont_measure | appraise | dont_appraise |
23
+			  audit | hash | dont_hash
24
+		  condition:= base | lsm  [option]
2325 			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
2426 				[euid=] [fowner=] [fsname=]]
2527 			lsm:	[[subj_user=] [subj_role=] [subj_type=]
2628 				 [obj_user=] [obj_role=] [obj_type=]]
27
-			option:	[[appraise_type=]] [permit_directio]
28
-
29
-		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
30
-				[FIRMWARE_CHECK]
29
+			option:	[[appraise_type=]] [template=] [permit_directio]
30
+				[appraise_flag=] [keyrings=]
31
+		  base:
32
+			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK]MODULE_CHECK]
33
+			        [FIRMWARE_CHECK]
3134 				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
35
+				[KEXEC_CMDLINE] [KEY_CHECK]
3236 			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
3337 			       [[^]MAY_EXEC]
3438 			fsmagic:= hex value
....@@ -36,11 +40,20 @@
3640 			uid:= decimal value
3741 			euid:= decimal value
3842 			fowner:= decimal value
39
-		lsm:  	are LSM specific
40
-		option:	appraise_type:= [imasig]
43
+		  lsm:  are LSM specific
44
+		  option:
45
+			appraise_type:= [imasig] [imasig|modsig]
46
+			appraise_flag:= [check_blacklist]
47
+			Currently, blacklist check is only for files signed with appended
48
+			signature.
49
+			keyrings:= list of keyrings
50
+			(eg, .builtin_trusted_keys|.ima). Only valid
51
+			when action is "measure" and func is KEY_CHECK.
52
+			template:= name of a defined IMA template type
53
+			(eg, ima-ng). Only valid when action is "measure".
4154 			pcr:= decimal value
4255 
43
-		default policy:
56
+		  default policy:
4457 			# PROC_SUPER_MAGIC
4558 			dont_measure fsmagic=0x9fa0
4659 			dont_appraise fsmagic=0x9fa0
....@@ -88,7 +101,8 @@
88101 
89102 		Examples of LSM specific definitions:
90103 
91
-		SELinux:
104
+		SELinux::
105
+
92106 			dont_measure obj_type=var_log_t
93107 			dont_appraise obj_type=var_log_t
94108 			dont_measure obj_type=auditd_log_t
....@@ -96,10 +110,24 @@
96110 			measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
97111 			measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
98112 
99
-		Smack:
113
+		Smack::
114
+
100115 			measure subj_user=_ func=FILE_CHECK mask=MAY_READ
101116 
102
-		Example of measure rules using alternate PCRs:
117
+		Example of measure rules using alternate PCRs::
103118 
104119 			measure func=KEXEC_KERNEL_CHECK pcr=4
105120 			measure func=KEXEC_INITRAMFS_CHECK pcr=5
121
+
122
+		Example of appraise rule allowing modsig appended signatures:
123
+
124
+			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
125
+
126
+		Example of measure rule using KEY_CHECK to measure all keys:
127
+
128
+			measure func=KEY_CHECK
129
+
130
+		Example of measure rule using KEY_CHECK to only measure
131
+		keys added to .builtin_trusted_keys or .ima keyring:
132
+
133
+			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima