From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
dm-devel@redhat.com
Cc: jmorris@namei.org, chpebeni@linux.microsoft.com,
nramas@linux.microsoft.com, balajib@microsoft.com,
sashal@kernel.org, suredd@microsoft.com
Subject: Re: [RFC] IMA: New IMA measurements for dm-crypt and selinux
Date: Thu, 16 Apr 2020 17:49:44 -0700 [thread overview]
Message-ID: <1feebdbe-94a8-16f7-deea-704e858a40a4@linux.microsoft.com> (raw)
In-Reply-To: <b8dcaa3d-5006-2730-aa57-fb99e13c4472@schaufler-ca.com>
On 2020-04-08 9:34 a.m., Casey Schaufler wrote:
> On 4/8/2020 3:19 AM, Tushar Sugandhi wrote:
<snip>
>>
>> B. Measuring selinux constructs:
>> We propose to add an IMA hook in enforcing_set() present under
>> security/selinux/include/security.h.
>> enforcing_set() sets the selinux state to enforcing/permissive etc.
>> and is called from key places like selinux_init(),
>> sel_write_enforce() etc.
>> The hook will measure various attributes related to selinux status.
>> Majority of the attributes are present in the struct selinux_state
>> present in security/selinux/include/security.h
>> e.g.
>> $sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: default
>> Current mode: permissive
>> Mode from config file: permissive
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 32
>>
>> The above attributes will be serialized into a set of key=value
>> pairs when passed to IMA for measurement.
>>
>> Proposed Function Signature of the IMA hook:
>> void ima_selinux_status(void *selinux_status, int len);
>>
>> Please provide comments\feedback on the proposal.
>
> TL;DR - Why make this SELinux specific?
>
> Integrating IMA and SELinux is a layering violation at best.
> Why isn't this ima_lsm_status(void *lsm_status, int len)?
That seems like a good idea.
I will investigate where can I place the hook for LSM.
Please let me know if you have any recommendations.
> Or, better yet, how about ima_lsm_status(char *name, void *value, int len),
> and you pass each name/value pair separately? That makes the
> interface generally useful.
>
> Believe it or not, there *ARE* security modules that
> are not SELinux.
>
>>
>> Thanks,
>> Tushar
>>
>> [1] https://sourceforge.net/p/linux-ima/wiki/Home/
>> [2] https://selinuxproject.org/page/FAQ
>> [3] https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
next prev parent reply other threads:[~2020-04-17 0:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-08 10:19 [RFC] IMA: New IMA measurements for dm-crypt and selinux Tushar Sugandhi
2020-04-08 16:28 ` Milan Broz
2020-04-17 0:46 ` Tushar Sugandhi
2020-04-08 16:34 ` Casey Schaufler
2020-04-17 0:49 ` Tushar Sugandhi [this message]
2020-04-11 19:05 ` Stephen Smalley
2020-04-12 8:15 ` Lev R. Oshvang .
2020-04-14 1:11 ` Mimi Zohar
2020-04-14 10:06 ` Lev R. Oshvang .
2020-04-17 0:53 ` Tushar Sugandhi
2020-04-17 0:52 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1feebdbe-94a8-16f7-deea-704e858a40a4@linux.microsoft.com \
--to=tusharsu@linux.microsoft.com \
--cc=balajib@microsoft.com \
--cc=casey@schaufler-ca.com \
--cc=chpebeni@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=suredd@microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).