From: Vivek Goyal <vgoyal@redhat.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>,
dhowells@redhat.com, jmorris@namei.org,
linux-security-module@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC 1/1] ima: digital signature verification using asymmetric keys
Date: Tue, 29 Jan 2013 15:10:47 -0500 [thread overview]
Message-ID: <20130129201047.GC21002@redhat.com> (raw)
In-Reply-To: <1359489673.816.25.camel@falcor1.watson.ibm.com>
On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
[..]
> > Hi Mimi,
> >
> > Can we add another field to ima_rule_entry, say .enforcement to control
> > the behavior of .action. Possible values of .enforcement could be, say.
> >
> > ALL
> > SIGNED_ONLY
> >
> > ALL will be default. And with .action= MEASURE, one could possibly use
> > .enforcement=SIGNED_ONLY.
>
> Other than the .action being '.action=APPRAISE', not 'MEASURE',
> something like what you're suggesting, could work. How about extending
> the new 'appraise_type=' option? The appraise_type enforces a
> particular type (eg. hash, signature) of verification.
>
> option: appraise_type:= [imasig[,signed_only]]
> eg. appraise_type=imasig,signed_only
Right. Given the fact that signed_only things work only for appraise, it
probably is better to extend ima_appraise= command line option.
I just wrote something based on linus tree. That is introduce
ima_appraise=enforce_labeled_only.
But I would look at your next branch and try introducing
imasig_signed_only.
In the mean time here is the patch I used. I can now boot my unlabeled
system with "ima_appraise_tcb" and "ima_appraise=enforce_labeled_only".
But somehow my system has slowed down significantly and I can feel
slow boot as well as slow file operations on terminal.
Thanks
Vivek
---
Documentation/kernel-parameters.txt | 3 ++-
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_appraise.c | 6 ++++++
3 files changed, 9 insertions(+), 1 deletion(-)
Index: linux-2.6/security/integrity/ima/ima_appraise.c
===================================================================
--- linux-2.6.orig/security/integrity/ima/ima_appraise.c 2013-01-18 01:29:29.000000000 -0500
+++ linux-2.6/security/integrity/ima/ima_appraise.c 2013-01-29 14:56:47.636620835 -0500
@@ -24,6 +24,8 @@ static int __init default_appraise_setup
ima_appraise = 0;
else if (strncmp(str, "fix", 3) == 0)
ima_appraise = IMA_APPRAISE_FIX;
+ else if (strncmp(str, "enforce_labeled_only", 21) == 0)
+ ima_appraise = IMA_APPRAISE_ENFORCE_LABELED_ONLY;
return 1;
}
@@ -144,6 +146,10 @@ out:
ima_fix_xattr(dentry, iint);
status = INTEGRITY_PASS;
}
+ if ((ima_appraise & IMA_APPRAISE_ENFORCE_LABELED_ONLY) &&
+ (status == INTEGRITY_NOLABEL))
+ status = INTEGRITY_PASS;
+
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
op, cause, rc, 0);
} else {
Index: linux-2.6/security/integrity/ima/ima.h
===================================================================
--- linux-2.6.orig/security/integrity/ima/ima.h 2013-01-18 01:29:29.000000000 -0500
+++ linux-2.6/security/integrity/ima/ima.h 2013-01-29 14:51:25.762610948 -0500
@@ -140,6 +140,7 @@ void ima_delete_rules(void);
#define IMA_APPRAISE_ENFORCE 0x01
#define IMA_APPRAISE_FIX 0x02
#define IMA_APPRAISE_MODULES 0x04
+#define IMA_APPRAISE_ENFORCE_LABELED_ONLY 0x08
#ifdef CONFIG_IMA_APPRAISE
int ima_appraise_measurement(struct integrity_iint_cache *iint,
Index: linux-2.6/Documentation/kernel-parameters.txt
===================================================================
--- linux-2.6.orig/Documentation/kernel-parameters.txt 2013-01-18 01:29:29.000000000 -0500
+++ linux-2.6/Documentation/kernel-parameters.txt 2013-01-29 14:52:44.455613365 -0500
@@ -1064,7 +1064,8 @@ bytes respectively. Such letter suffixes
Set number of hash buckets for inode cache.
ima_appraise= [IMA] appraise integrity measurements
- Format: { "off" | "enforce" | "fix" }
+ Format: { "off" | "enforce" | "fix" |
+ "enforce_labeled_only}
default: "enforce"
ima_appraise_tcb [IMA]
next prev parent reply other threads:[~2013-01-29 20:10 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-15 10:34 [RFC 0/1] ima/evm: signature verification support using asymmetric keys Dmitry Kasatkin
2013-01-15 10:34 ` [RFC 1/1] ima: digital signature verification " Dmitry Kasatkin
2013-01-22 22:53 ` Mimi Zohar
2013-01-23 9:03 ` Kasatkin, Dmitry
2013-01-25 21:01 ` Vivek Goyal
2013-01-28 14:54 ` Kasatkin, Dmitry
2013-01-28 15:15 ` Vivek Goyal
2013-01-28 15:20 ` Kasatkin, Dmitry
2013-01-28 18:52 ` Vivek Goyal
2013-01-28 19:51 ` Mimi Zohar
2013-01-28 20:13 ` Vivek Goyal
2013-01-29 0:14 ` Mimi Zohar
2013-01-29 16:30 ` Vivek Goyal
2013-01-29 8:53 ` Kasatkin, Dmitry
2013-01-29 8:48 ` Kasatkin, Dmitry
2013-01-29 18:39 ` Vivek Goyal
2013-01-28 18:56 ` Vivek Goyal
2013-01-28 20:15 ` Mimi Zohar
2013-01-28 20:22 ` Vivek Goyal
2013-01-29 1:48 ` Mimi Zohar
2013-01-29 16:58 ` Vivek Goyal
2013-01-30 6:32 ` Matthew Garrett
2013-01-30 22:22 ` Mimi Zohar
2013-01-29 18:20 ` Vivek Goyal
2013-01-29 20:01 ` Mimi Zohar
2013-01-29 20:10 ` Vivek Goyal [this message]
2013-01-29 22:26 ` Mimi Zohar
2013-01-16 19:45 ` [RFC 0/1] ima/evm: signature verification support " Mimi Zohar
2013-01-17 17:52 ` [RFC 1/1] ima: digital signature verification " David Howells
2013-01-17 18:00 ` Kasatkin, Dmitry
2013-01-17 18:03 ` [RFC 0/1] ima/evm: signature verification support " David Howells
2013-01-18 15:16 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130129201047.GC21002@redhat.com \
--to=vgoyal@redhat.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=jmorris@namei.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).