From: "Serge E. Hallyn" <serge@hallyn.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Roberto Sassu <roberto.sassu@huawei.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, silviu.vlasceanu@huawei.com
Subject: Re: [PATCH v2 06/15] ima: add parser of digest lists metadata
Date: Mon, 20 Nov 2017 10:52:06 -0600 [thread overview]
Message-ID: <20171120165206.GA14752@mail.hallyn.com> (raw)
In-Reply-To: <1511186020.4729.66.camel@linux.vnet.ibm.com>
Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> On Mon, 2017-11-20 at 10:40 +0100, Roberto Sassu wrote:
> > On 11/19/2017 12:23 AM, Mimi Zohar wrote:
> > > Hi Serge,
> > >
> > > On Fri, 2017-11-17 at 22:20 -0600, Serge E. Hallyn wrote:
> > >> On Tue, Nov 07, 2017 at 11:37:01AM +0100, Roberto Sassu wrote:
> > >>> from a predefined position (/etc/ima/digest_lists/metadata), when rootfs
> > >>> becomes available. Digest lists must be loaded before IMA appraisal is in
> > >>> enforcing mode.
> > >>
> > >> I'm sure there's a good reason for it, but this seems weird to me.
> > >> Why read it from a file on disk instead of accepting it through say
> > >> a securityfile write?
> >
> > There are two reasons.
> >
> > Digest lists must be loaded before any file is accessed, otherwise IMA
> > will deny the operation if appraisal is in enforcing mode. With digest
> > lists it is possible to appraise files in the initial ram disk without
> > including extended attributes (the default policy excludes those files).
>
> There are a number of people interested in extending CPIO to support
> extended attributes, not just for IMA-appraisal. (Years ago I started
> but unfortunately haven't had time to finish it.) Isn't the right
> solution to add extended attribute support to CPIO?
(For the record) Yes, yes it is.
next prev parent reply other threads:[~2017-11-20 16:52 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 10:36 [PATCH v2 00/15] ima: digest list feature Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 01/15] ima: generalize ima_read_policy() Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 02/15] ima: generalize ima_write_policy() Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 03/15] ima: generalize policy file operations Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 04/15] ima: use ima_show_htable_value to show hash table data Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 05/15] ima: add functions to manage digest lists Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 06/15] ima: add parser of digest lists metadata Roberto Sassu
2017-11-18 4:20 ` Serge E. Hallyn
2017-11-18 23:23 ` Mimi Zohar
2017-11-20 9:40 ` Roberto Sassu
2017-11-20 13:53 ` Mimi Zohar
2017-11-20 16:52 ` Serge E. Hallyn [this message]
2017-11-07 10:37 ` [PATCH v2 07/15] ima: add parser of compact digest list Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 08/15] ima: add parser of RPM package headers Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 09/15] ima: introduce securityfs interfaces for digest lists Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 10/15] ima: disable digest lookup if digest lists are not checked Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 11/15] ima: add policy action digest_list Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 12/15] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS Roberto Sassu
2017-11-18 4:25 ` Serge E. Hallyn
2017-11-07 10:37 ` [PATCH v2 13/15] evm: add kernel command line option to select protected xattrs Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 14/15] ima: add support for appraisal with digest lists Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 15/15] ima: add Documentation/security/IMA-digest-lists.txt Roberto Sassu
2017-11-07 13:37 ` [PATCH v2 00/15] ima: digest list feature Mimi Zohar
2017-11-07 16:45 ` Roberto Sassu
2017-11-17 1:08 ` Kees Cook
2017-11-17 8:55 ` Roberto Sassu
2017-11-17 12:21 ` Mimi Zohar
2017-11-07 14:49 ` Matthew Garrett
2017-11-07 17:53 ` Roberto Sassu
2017-11-07 18:06 ` Matthew Garrett
2017-11-08 12:00 ` Roberto Sassu
2017-11-08 15:48 ` Matthew Garrett
2017-11-09 9:51 ` Roberto Sassu
2017-11-09 14:47 ` Matthew Garrett
2017-11-09 16:13 ` Roberto Sassu
2017-11-09 16:46 ` Matthew Garrett
2017-11-09 17:23 ` Roberto Sassu
2017-11-09 16:17 ` Mimi Zohar
2017-11-07 18:03 ` Safford, David (GE Global Research, US)
2017-11-08 10:16 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171120165206.GA14752@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).