Re: [RFC 1/1] ima: digital signature verification using asymmetric keys

[Vivek Goyal <vgoyal@redhat.com>]

On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:

[..]
> > Hi Mimi,
> > 
> > Can we add another field to ima_rule_entry, say .enforcement to control
> > the behavior of .action. Possible values of .enforcement could be, say.
> > 
> > ALL
> > SIGNED_ONLY
> > 
> > ALL will be default. And with .action= MEASURE, one could possibly use
> > .enforcement=SIGNED_ONLY.
> 
> Other than the .action being '.action=APPRAISE', not 'MEASURE',
> something like what you're suggesting, could work.  How about extending
> the new 'appraise_type=' option?   The appraise_type enforces a
> particular type (eg. hash, signature) of verification. 
> 
> option: appraise_type:= [imasig[,signed_only]]
> eg. appraise_type=imasig,signed_only

Right. Given the fact that signed_only things work only for appraise, it
probably is better to extend ima_appraise= command line option.

I just wrote something based on linus tree. That is introduce
ima_appraise=enforce_labeled_only.

But I would look at your next branch and try introducing
imasig_signed_only.

In the mean time here is the patch I used. I can now boot my unlabeled
system with "ima_appraise_tcb" and "ima_appraise=enforce_labeled_only".

But somehow my system has slowed down significantly and I can feel
slow boot as well as slow file operations on terminal.

Thanks
Vivek

---
 Documentation/kernel-parameters.txt   |    3 ++-
 security/integrity/ima/ima.h          |    1 +
 security/integrity/ima/ima_appraise.c |    6 ++++++
 3 files changed, 9 insertions(+), 1 deletion(-)

Index: linux-2.6/security/integrity/ima/ima_appraise.c
===================================================================
--- linux-2.6.orig/security/integrity/ima/ima_appraise.c	2013-01-18 01:29:29.000000000 -0500
+++ linux-2.6/security/integrity/ima/ima_appraise.c	2013-01-29 14:56:47.636620835 -0500
@@ -24,6 +24,8 @@ static int __init default_appraise_setup
 		ima_appraise = 0;
 	else if (strncmp(str, "fix", 3) == 0)
 		ima_appraise = IMA_APPRAISE_FIX;
+	else if (strncmp(str, "enforce_labeled_only", 21) == 0)
+		ima_appraise = IMA_APPRAISE_ENFORCE_LABELED_ONLY;
 	return 1;
 }
 
@@ -144,6 +146,10 @@ out:
 			ima_fix_xattr(dentry, iint);
 			status = INTEGRITY_PASS;
 		}
+		if ((ima_appraise & IMA_APPRAISE_ENFORCE_LABELED_ONLY) &&
+		   (status == INTEGRITY_NOLABEL))
+			status = INTEGRITY_PASS;
+
 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
 				    op, cause, rc, 0);
 	} else {
Index: linux-2.6/security/integrity/ima/ima.h
===================================================================
--- linux-2.6.orig/security/integrity/ima/ima.h	2013-01-18 01:29:29.000000000 -0500
+++ linux-2.6/security/integrity/ima/ima.h	2013-01-29 14:51:25.762610948 -0500
@@ -140,6 +140,7 @@ void ima_delete_rules(void);
 #define IMA_APPRAISE_ENFORCE	0x01
 #define IMA_APPRAISE_FIX	0x02
 #define IMA_APPRAISE_MODULES	0x04
+#define IMA_APPRAISE_ENFORCE_LABELED_ONLY	0x08
 
 #ifdef CONFIG_IMA_APPRAISE
 int ima_appraise_measurement(struct integrity_iint_cache *iint,
Index: linux-2.6/Documentation/kernel-parameters.txt
===================================================================
--- linux-2.6.orig/Documentation/kernel-parameters.txt	2013-01-18 01:29:29.000000000 -0500
+++ linux-2.6/Documentation/kernel-parameters.txt	2013-01-29 14:52:44.455613365 -0500
@@ -1064,7 +1064,8 @@ bytes respectively. Such letter suffixes
 			Set number of hash buckets for inode cache.
 
 	ima_appraise=	[IMA] appraise integrity measurements
-			Format: { "off" | "enforce" | "fix" }
+			Format: { "off" | "enforce" | "fix" |
+				  "enforce_labeled_only}
 			default: "enforce"
 
 	ima_appraise_tcb [IMA]