Linux-Integrity Archive on
 help / color / Atom feed
From: Roberto Sassu <>
To: m3hm00d <>, <>
Subject: Re: Whitelisting with IMA
Date: Mon, 13 May 2019 11:09:45 +0200
Message-ID: <> (raw)
In-Reply-To: <>

On 5/12/2019 11:37 AM, m3hm00d wrote:
> tldr: Is there some way to ask IMA not to open (execute) unknown binaries
> Hi all,
> I saw some comments on RFC for WhiteEgret LSM. Someone on the same
> thread said that IMA could be used for whitelisting as well. Based on
> a couple of hours with IMA, it seems to me that IMA can only stop
> execution of (altered) binaries whose hash/sign was earlier measured.


I'm developing an extension (IMA Digest Lists) to allow access to files
depending on a white list (for example digests in RPM headers). I will
publish a new version soon. For the concept, please have a look at:

> If a user installs a new (unknown) application, it seems like IMA is
> going to allow that application to run since IMA can't find any
> integrity loss since IMA doesn't have any 'good' value against the new
> application. Is this correct? Or is there some other option to ask IMA
> not to execute any unknown binary?

If appraisal is enabled, and the application has no signature/HMAC,
access would be denied. If the application is installed by a package
manager, probably files will have a HMAC and access would be granted
unless the IMA policy requires signatures.


> Kind regards,
> m3hm00d

Managing Director: Bo PENG, Jian LI, Yanli SHI

  reply index

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-12  9:37 m3hm00d
2019-05-13  9:09 ` Roberto Sassu [this message]
2019-05-14 17:27   ` m3hm00d

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on

Archives are clonable:
	git clone --mirror linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ \
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone public-inbox