All of lore.kernel.org
 help / color / mirror / Atom feed
* Question on IMA Policy
@ 2018-07-06  9:46 Martin Townsend
  2018-07-06 11:59 ` Mimi Zohar
  0 siblings, 1 reply; 3+ messages in thread
From: Martin Townsend @ 2018-07-06  9:46 UTC (permalink / raw)
  To: linux-integrity

Hi,

If I have a root filesystem signed for IMA/EVM could I have a policy
that says appraise every file on this filesystem.  Looking through the
source code I think I could use

appraise fsuuid=uuid-of-root-fs appraise_type=imasig

Would this do what I want?

Many Thanks,
Martin.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Question on IMA Policy
  2018-07-06  9:46 Question on IMA Policy Martin Townsend
@ 2018-07-06 11:59 ` Mimi Zohar
  2018-07-06 13:32   ` Martin Townsend
  0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2018-07-06 11:59 UTC (permalink / raw)
  To: Martin Townsend, linux-integrity

Hi Martin,

On Fri, 2018-07-06 at 10:46 +0100, Martin Townsend wrote:
> Hi,
> 
> If I have a root filesystem signed for IMA/EVM could I have a policy
> that says appraise every file on this filesystem.  Looking through the
> source code I think I could use
> 
> appraise fsuuid=uuid-of-root-fs appraise_type=imasig
> 
> Would this do what I want?

Yes, that looks right.  Remember all files on this filesystem will be
considered "immutable", meaning you won't be able to write/update
them, only delete them.

Mimi

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Question on IMA Policy
  2018-07-06 11:59 ` Mimi Zohar
@ 2018-07-06 13:32   ` Martin Townsend
  0 siblings, 0 replies; 3+ messages in thread
From: Martin Townsend @ 2018-07-06 13:32 UTC (permalink / raw)
  To: zohar; +Cc: linux-integrity

Hi Mimi,

On Fri, Jul 6, 2018 at 12:59 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Hi Martin,
>
> On Fri, 2018-07-06 at 10:46 +0100, Martin Townsend wrote:
> > Hi,
> >
> > If I have a root filesystem signed for IMA/EVM could I have a policy
> > that says appraise every file on this filesystem.  Looking through the
> > source code I think I could use
> >
> > appraise fsuuid=uuid-of-root-fs appraise_type=imasig
> >
> > Would this do what I want?
>
> Yes, that looks right.  Remember all files on this filesystem will be
> considered "immutable", meaning you won't be able to write/update
> them, only delete them.
>

Thank you and being immutable is fine.

> Mimi
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-07-06 13:32 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-06  9:46 Question on IMA Policy Martin Townsend
2018-07-06 11:59 ` Mimi Zohar
2018-07-06 13:32   ` Martin Townsend

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.