Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Roberto Sassu <roberto.sassu@huawei.com>
To: m3hm00d <f.m3hm00d@gmail.com>, <linux-integrity@vger.kernel.org>
Subject: Re: Whitelisting with IMA
Date: Mon, 13 May 2019 11:09:45 +0200
Message-ID: <c4adc9d7-9244-1cbe-693c-2f090851d804@huawei.com> (raw)
In-Reply-To: <CAL8qiskDtYJ0NY3u+zV3YBMR4Qs_YcHSHZ61per5jwZ3n54r8A@mail.gmail.com>

On 5/12/2019 11:37 AM, m3hm00d wrote:
> tldr: Is there some way to ask IMA not to open (execute) unknown binaries
> 
> Hi all,
> 
> I saw some comments on RFC for WhiteEgret LSM. Someone on the same
> thread said that IMA could be used for whitelisting as well. Based on
> a couple of hours with IMA, it seems to me that IMA can only stop
> execution of (altered) binaries whose hash/sign was earlier measured.

Hi

I'm developing an extension (IMA Digest Lists) to allow access to files
depending on a white list (for example digests in RPM headers). I will
publish a new version soon. For the concept, please have a look at:

https://github.com/euleros/linux/wiki/IMA-Digest-Lists-Extension
https://github.com/euleros/digest-list-tools/wiki/Architecture


> If a user installs a new (unknown) application, it seems like IMA is
> going to allow that application to run since IMA can't find any
> integrity loss since IMA doesn't have any 'good' value against the new
> application. Is this correct? Or is there some other option to ask IMA
> not to execute any unknown binary?

If appraisal is enabled, and the application has no signature/HMAC,
access would be denied. If the application is installed by a package
manager, probably files will have a HMAC and access would be granted
unless the IMA policy requires signatures.

Roberto


> Kind regards,
> m3hm00d
> 

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI

  reply index

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-12  9:37 m3hm00d
2019-05-13  9:09 ` Roberto Sassu [this message]
2019-05-14 17:27   ` m3hm00d

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c4adc9d7-9244-1cbe-693c-2f090851d804@huawei.com \
    --to=roberto.sassu@huawei.com \
    --cc=f.m3hm00d@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org linux-integrity@archiver.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/ public-inbox