Loading Documentation/ABI/testing/ima_policy 0 → 100644 +61 −0 Original line number Diff line number Diff line What: security/ima/policy Date: May 2008 Contact: Mimi Zohar <zohar@us.ibm.com> Description: The Trusted Computing Group(TCG) runtime Integrity Measurement Architecture(IMA) maintains a list of hash values of executables and other sensitive system files loaded into the run-time of this system. At runtime, the policy can be constrained based on LSM specific data. Policies are loaded into the securityfs file ima/policy by opening the file, writing the rules one at a time and then closing the file. The new policy takes effect after the file ima/policy is closed. rule format: action [condition ...] action: measure | dont_measure condition:= base | lsm base: [[func=] [mask=] [fsmagic=] [uid=]] lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] base: func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION] mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] fsmagic:= hex value uid:= decimal value lsm: are LSM specific default policy: # PROC_SUPER_MAGIC dont_measure fsmagic=0x9fa0 # SYSFS_MAGIC dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 # TMPFS_MAGIC dont_measure fsmagic=0x01021994 # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=INODE_PERM mask=MAY_READ uid=0 The default policy measures all executables in bprm_check, all files mmapped executable in file_mmap, and all files open for read by root in inode_permission. Examples of LSM specific definitions: SELinux: # SELINUX_MAGIC dont_measure fsmagic=0xF97CFF8C dont_measure obj_type=var_log_t dont_measure obj_type=auditd_log_t measure subj_user=system_u func=INODE_PERM mask=MAY_READ measure subj_role=system_r func=INODE_PERM mask=MAY_READ Smack: measure subj_user=_ func=INODE_PERM mask=MAY_READ Documentation/DocBook/Makefile +2 −1 Original line number Diff line number Diff line Loading @@ -12,7 +12,8 @@ DOCBOOKS := z8530book.xml mcabook.xml device-drivers.xml \ kernel-api.xml filesystems.xml lsm.xml usb.xml kgdb.xml \ gadget.xml libata.xml mtdnand.xml librs.xml rapidio.xml \ genericirq.xml s390-drivers.xml uio-howto.xml scsi.xml \ mac80211.xml debugobjects.xml sh.xml regulator.xml mac80211.xml debugobjects.xml sh.xml regulator.xml \ alsa-driver-api.xml writing-an-alsa-driver.xml ### # The build process is as follows (targets): Loading Documentation/sound/alsa/DocBook/alsa-driver-api.tmpl→Documentation/DocBook/alsa-driver-api.tmpl +13 −4 Original line number Diff line number Diff line <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> <book> <?dbhtml filename="index.html"> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" []> <!-- ****************************************************** --> <!-- Header --> <!-- ****************************************************** --> <book id="ALSA-Driver-API"> <bookinfo> <title>The ALSA Driver API</title> Loading Loading @@ -35,6 +35,8 @@ </bookinfo> <toc></toc> <chapter><title>Management of Cards and Devices</title> <sect1><title>Card Management</title> !Esound/core/init.c Loading Loading @@ -71,6 +73,10 @@ !Esound/pci/ac97/ac97_codec.c !Esound/pci/ac97/ac97_pcm.c </sect1> <sect1><title>Virtual Master Control API</title> !Esound/core/vmaster.c !Iinclude/sound/control.h </sect1> </chapter> <chapter><title>MIDI API</title> <sect1><title>Raw MIDI API</title> Loading @@ -88,6 +94,9 @@ <chapter><title>Miscellaneous Functions</title> <sect1><title>Hardware-Dependent Devices API</title> !Esound/core/hwdep.c </sect1> <sect1><title>Jack Abstraction Layer API</title> !Esound/core/jack.c </sect1> <sect1><title>ISA DMA Helpers</title> !Esound/core/isadma.c Loading Documentation/DocBook/genericirq.tmpl +1 −0 Original line number Diff line number Diff line Loading @@ -440,6 +440,7 @@ desc->chip->end(); used in the generic IRQ layer. </para> !Iinclude/linux/irq.h !Iinclude/linux/interrupt.h </chapter> <chapter id="pubfunctions"> Loading Documentation/DocBook/mac80211.tmpl +8 −4 Original line number Diff line number Diff line Loading @@ -17,8 +17,7 @@ </authorgroup> <copyright> <year>2007</year> <year>2008</year> <year>2007-2009</year> <holder>Johannes Berg</holder> </copyright> Loading Loading @@ -165,8 +164,8 @@ usage should require reading the full document. !Pinclude/net/mac80211.h Frame format </sect1> <sect1> <title>Alignment issues</title> <para>TBD</para> <title>Packet alignment</title> !Pnet/mac80211/rx.c Packet alignment </sect1> <sect1> <title>Calling into mac80211 from interrupts</title> Loading Loading @@ -223,6 +222,11 @@ usage should require reading the full document. !Finclude/net/mac80211.h ieee80211_key_flags </chapter> <chapter id="powersave"> <title>Powersave support</title> !Pinclude/net/mac80211.h Powersave support </chapter> <chapter id="qos"> <title>Multiple queues and QoS support</title> <para>TBD</para> Loading Loading
Documentation/ABI/testing/ima_policy 0 → 100644 +61 −0 Original line number Diff line number Diff line What: security/ima/policy Date: May 2008 Contact: Mimi Zohar <zohar@us.ibm.com> Description: The Trusted Computing Group(TCG) runtime Integrity Measurement Architecture(IMA) maintains a list of hash values of executables and other sensitive system files loaded into the run-time of this system. At runtime, the policy can be constrained based on LSM specific data. Policies are loaded into the securityfs file ima/policy by opening the file, writing the rules one at a time and then closing the file. The new policy takes effect after the file ima/policy is closed. rule format: action [condition ...] action: measure | dont_measure condition:= base | lsm base: [[func=] [mask=] [fsmagic=] [uid=]] lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] base: func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION] mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] fsmagic:= hex value uid:= decimal value lsm: are LSM specific default policy: # PROC_SUPER_MAGIC dont_measure fsmagic=0x9fa0 # SYSFS_MAGIC dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 # TMPFS_MAGIC dont_measure fsmagic=0x01021994 # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=INODE_PERM mask=MAY_READ uid=0 The default policy measures all executables in bprm_check, all files mmapped executable in file_mmap, and all files open for read by root in inode_permission. Examples of LSM specific definitions: SELinux: # SELINUX_MAGIC dont_measure fsmagic=0xF97CFF8C dont_measure obj_type=var_log_t dont_measure obj_type=auditd_log_t measure subj_user=system_u func=INODE_PERM mask=MAY_READ measure subj_role=system_r func=INODE_PERM mask=MAY_READ Smack: measure subj_user=_ func=INODE_PERM mask=MAY_READ
Documentation/DocBook/Makefile +2 −1 Original line number Diff line number Diff line Loading @@ -12,7 +12,8 @@ DOCBOOKS := z8530book.xml mcabook.xml device-drivers.xml \ kernel-api.xml filesystems.xml lsm.xml usb.xml kgdb.xml \ gadget.xml libata.xml mtdnand.xml librs.xml rapidio.xml \ genericirq.xml s390-drivers.xml uio-howto.xml scsi.xml \ mac80211.xml debugobjects.xml sh.xml regulator.xml mac80211.xml debugobjects.xml sh.xml regulator.xml \ alsa-driver-api.xml writing-an-alsa-driver.xml ### # The build process is as follows (targets): Loading
Documentation/sound/alsa/DocBook/alsa-driver-api.tmpl→Documentation/DocBook/alsa-driver-api.tmpl +13 −4 Original line number Diff line number Diff line <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> <book> <?dbhtml filename="index.html"> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" []> <!-- ****************************************************** --> <!-- Header --> <!-- ****************************************************** --> <book id="ALSA-Driver-API"> <bookinfo> <title>The ALSA Driver API</title> Loading Loading @@ -35,6 +35,8 @@ </bookinfo> <toc></toc> <chapter><title>Management of Cards and Devices</title> <sect1><title>Card Management</title> !Esound/core/init.c Loading Loading @@ -71,6 +73,10 @@ !Esound/pci/ac97/ac97_codec.c !Esound/pci/ac97/ac97_pcm.c </sect1> <sect1><title>Virtual Master Control API</title> !Esound/core/vmaster.c !Iinclude/sound/control.h </sect1> </chapter> <chapter><title>MIDI API</title> <sect1><title>Raw MIDI API</title> Loading @@ -88,6 +94,9 @@ <chapter><title>Miscellaneous Functions</title> <sect1><title>Hardware-Dependent Devices API</title> !Esound/core/hwdep.c </sect1> <sect1><title>Jack Abstraction Layer API</title> !Esound/core/jack.c </sect1> <sect1><title>ISA DMA Helpers</title> !Esound/core/isadma.c Loading
Documentation/DocBook/genericirq.tmpl +1 −0 Original line number Diff line number Diff line Loading @@ -440,6 +440,7 @@ desc->chip->end(); used in the generic IRQ layer. </para> !Iinclude/linux/irq.h !Iinclude/linux/interrupt.h </chapter> <chapter id="pubfunctions"> Loading
Documentation/DocBook/mac80211.tmpl +8 −4 Original line number Diff line number Diff line Loading @@ -17,8 +17,7 @@ </authorgroup> <copyright> <year>2007</year> <year>2008</year> <year>2007-2009</year> <holder>Johannes Berg</holder> </copyright> Loading Loading @@ -165,8 +164,8 @@ usage should require reading the full document. !Pinclude/net/mac80211.h Frame format </sect1> <sect1> <title>Alignment issues</title> <para>TBD</para> <title>Packet alignment</title> !Pnet/mac80211/rx.c Packet alignment </sect1> <sect1> <title>Calling into mac80211 from interrupts</title> Loading Loading @@ -223,6 +222,11 @@ usage should require reading the full document. !Finclude/net/mac80211.h ieee80211_key_flags </chapter> <chapter id="powersave"> <title>Powersave support</title> !Pinclude/net/mac80211.h Powersave support </chapter> <chapter id="qos"> <title>Multiple queues and QoS support</title> <para>TBD</para> Loading
