> > Are you sure that this example policy is loaded? You can check it by cat'ing
> policy file.
>
> Good point. It turns out that /sys/kernel/security/ima/policy is empty unless
> I boot with ima_tcb or ima_appraise_tcb. So my /etc/ima/policy does not get
> loaded - need to check whether it's set up correctly.
>
> But my question still stands: if I get policy loading to work, will that
> append or
> replace the existing policy? If yes, then the Wiki instructions are a bit
> misleading, because the "prepare Tizen image" use case describes how to set
> up a custom policy and in addition, mentions "ima_tcb" and
> "ima_appraise_tcb" as boot parameters although they are redundant in that
> case (right?).
>
Existing policy is replaced by new one.
'ima_tcb' is default policy for measuring files. You can see results of
measuring operations in /sys/kernel/security/ima/ascii_runtime_measurements
This policy should not lock your system since it's not make any appraise
actions. It's good for debugging purpose.
'ima_appraise_tcb' is default appraise policy. All files with 'root' as owner
are appraised. It can lock your system if hashes/signatures differs.
Both default policies are defined in kernel sources.
You're right, Wiki instructions are a bit misleading with this custom policy.
Thank you for pointing this out. I will apply changes.
> Here's another source of confusion for me: how does the ima policy affect
> evm? Does it perhaps control ima/evm together for a certain file, despite the
> name ("IMA policy")?
>
IMA policy does not affect EVM at all. EVM protects extended attributes while
IMA constructs hashes from files and/or sign them for verification purposes.
So you can use only EVM without IMA for protecting LSM attributes like
security.SMACK*
Eventually you could use only IMA but it's nice to have EVM protection also
(offline tampering is possible without EVM).
> Let's ignore the policy loading problem for a second. When I boot with
> "i_version ima_appraise=log ima_tcb ima_template_fmt=d-ng|n-ng|status",
> I still have the problem that files like /etc/resolv.conf cannot be created.
>
Could you verify that this file system is mounted with 'iversion' flag?
My suggestion is - try to run device with only IMA on, in fix mode, with
default policies. You should be able to see IMA measure/appraise actions
without locking device. After 'fixing' all files (you could just walk through
file system head'ing all files) try to disable fix mode and run your device
again.
If you add/modify file to protected system in which you use digital signatures
you need to provide private key for that.
Regards
Zbigniew Jasinski
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
