add boot partition size

hc

2023-12-11 d2ccde1c8e90d38cee87a1b0309ad2827f3fd30d

 kernel/Documentation/ABI/testing/ima_policy
..
..
@@ -15,20 +15,24 @@
15
15
 		IMA appraisal, if configured, uses these file measurements
16
16
 		for local measurement appraisal.
17
17
 
18
-		rule format: action [condition ...]
18
+		::
19
19
 
20
-		action: measure | dont_measure | appraise | dont_appraise |
21
-			audit | hash | dont_hash
22
-		condition:= base | lsm  [option]
20
+		  rule format: action [condition ...]
21
+
22
+		  action: measure | dont_measure | appraise | dont_appraise |
23
+			  audit | hash | dont_hash
24
+		  condition:= base | lsm  [option]
23
25
 			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
24
26
 				[euid=] [fowner=] [fsname=]]
25
27
 			lsm:	[[subj_user=] [subj_role=] [subj_type=]
26
28
 				 [obj_user=] [obj_role=] [obj_type=]]
27
-			option:	[[appraise_type=]] [permit_directio]
28
-
29
-		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
30
-				[FIRMWARE_CHECK]
29
+			option:	[[appraise_type=]] [template=] [permit_directio]
30
+				[appraise_flag=] [keyrings=]
31
+		  base:
32
+			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK]MODULE_CHECK]
33
+			        [FIRMWARE_CHECK]
31
34
 				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
35
+				[KEXEC_CMDLINE] [KEY_CHECK]
32
36
 			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
33
37
 			       [[^]MAY_EXEC]
34
38
 			fsmagic:= hex value
..
..
@@ -36,11 +40,20 @@
36
40
 			uid:= decimal value
37
41
 			euid:= decimal value
38
42
 			fowner:= decimal value
39
-		lsm:  	are LSM specific
40
-		option:	appraise_type:= [imasig]
43
+		  lsm:  are LSM specific
44
+		  option:
45
+			appraise_type:= [imasig] [imasig|modsig]
46
+			appraise_flag:= [check_blacklist]
47
+			Currently, blacklist check is only for files signed with appended
48
+			signature.
49
+			keyrings:= list of keyrings
50
+			(eg, .builtin_trusted_keys|.ima). Only valid
51
+			when action is "measure" and func is KEY_CHECK.
52
+			template:= name of a defined IMA template type
53
+			(eg, ima-ng). Only valid when action is "measure".
41
54
 			pcr:= decimal value
42
55
 
43
-		default policy:
56
+		  default policy:
44
57
 			# PROC_SUPER_MAGIC
45
58
 			dont_measure fsmagic=0x9fa0
46
59
 			dont_appraise fsmagic=0x9fa0
..
..
@@ -88,7 +101,8 @@
88
101
 
89
102
 		Examples of LSM specific definitions:
90
103
 
91
-		SELinux:
104
+		SELinux::
105
+
92
106
 			dont_measure obj_type=var_log_t
93
107
 			dont_appraise obj_type=var_log_t
94
108
 			dont_measure obj_type=auditd_log_t
..
..
@@ -96,10 +110,24 @@
96
110
 			measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
97
111
 			measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
98
112
 
99
-		Smack:
113
+		Smack::
114
+
100
115
 			measure subj_user=_ func=FILE_CHECK mask=MAY_READ
101
116
 
102
-		Example of measure rules using alternate PCRs:
117
+		Example of measure rules using alternate PCRs::
103
118
 
104
119
 			measure func=KEXEC_KERNEL_CHECK pcr=4
105
120
 			measure func=KEXEC_INITRAMFS_CHECK pcr=5
121
+
122
+		Example of appraise rule allowing modsig appended signatures:
123
+
124
+			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
125
+
126
+		Example of measure rule using KEY_CHECK to measure all keys:
127
+
128
+			measure func=KEY_CHECK
129
+
130
+		Example of measure rule using KEY_CHECK to only measure
131
+		keys added to .builtin_trusted_keys or .ima keyring:
132
+
133
+			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima