From: Mimi Zohar <zohar@linux.ibm.com>
To: "Lev R. Oshvang ." <levonshe@gmail.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>, Mimi Zohar <zohar@us.ibm.com>,
Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>
Subject: Re: [PATCH] integrity ima_policy : Select files by suffix
Date: Mon, 30 Mar 2020 14:05:34 -0400 [thread overview]
Message-ID: <1585591534.5188.435.camel@linux.ibm.com> (raw)
In-Reply-To: <CAP22eLGbwcXzBDpc2QbMOGtjrdYsufUf-8vq4uHt8jjPoQanKQ@mail.gmail.com>
[The normal conventions for this mailing list is bottom post.]
Lev,
On Mon, 2020-03-30 at 20:21 +0300, Lev R. Oshvang . wrote:
> I already answered to Mimi Zohar that applications expect file name in
> open() syscall.
And I disagreed with you. Not only can filenames be renamed, as I
mentioned, but they aren't protected, as Roberto said.
> So there is no need to protect file name otherwise applications just
> stop to work.
> Even now when ima hash is not correct application stops to work.
> Put aside scripts for a second. A lot of programs are configured in
> .ini or .conf files.
> The suffix is a very convenient way to provide these files would be measured.
>
> Now I returning to scripts.
> It is very hard to enforce IMA checks in interpreters. And thinks
> about perl scrips. awk. python scripts. etc
> The proposed suffix rule is easy and lightweight.
> I once had programmed BRM hook of LSM
> I had a very hard time trying to figure out whether shell is opening a
> script or data , how to get filename to check its signature.
> Sometimes script file does not have shebang or does not have
> executable permission.
Only the interpreter knows how the file will be used.
>
> I hope I convinced you.
There have been a number of attempts to define IMA policy rules based
on pathname, which have not been upstreamed. Feel free to use your
solution, but it can't be upstreamed as is.
Mimi
next prev parent reply other threads:[~2020-03-30 18:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-30 12:27 [PATCH] integrity ima_policy : Select files by suffix Lev Olshvang
2020-03-30 16:45 ` Roberto Sassu
2020-03-30 17:21 ` Lev R. Oshvang .
2020-03-30 18:05 ` Mimi Zohar [this message]
2020-03-30 20:01 ` Lev R. Oshvang .
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1585591534.5188.435.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=Silviu.Vlasceanu@huawei.com \
--cc=levonshe@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).