On Tue, 2015-10-20 at 15:10 +0300, Petko Manolov wrote: > On 15-10-20 08:00:29, Mimi Zohar wrote: > > On Tue, 2015-10-20 at 10:26 +0300, Petko Manolov wrote: > > > On 15-10-19 14:21:42, Mimi Zohar wrote: > > > > On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote: > > > > > When in development it is useful to read back the IMA policy. This > > > > > patch > > > > > provides the functionality. However, this is a potential security > > > > > hole so > > > > > it should not be used in production-grade kernels. > > > > > > > > Like the other IMA securityfs files, only root would be able to read it. > > > > Once we start allowing additional rules to be appended to the policy, > > > > being able to view the resulting policy is important. Is there a reason > > > > for limiting this option to development? > > > > > > I have not considered allowing non-root users to read the policy - i was > > > merely > > > cleaning up the Zbigniew's patch. I guess it might be useful to be able > > > to read > > > the policy when in development mode. > > > > I guess I wasn't clear. I don't have a problem with the patch itself, just > > with the patch description. What is this "security hole" that the option > > should ONLY be configured for development? Only privileged users can view > > the > > policy. I don't see the problem with configuring it in general. Please > > remove the comment. > > By "security hole" i mean being able to read it at all. Root or non-root. > Knowing what the IMA policy is may give the attacker an idea how to > circumvent > it. I used stronger words in order to attract the user's attention and > consider > carefully what the implications are when enabling this option. > > However, i do not insist on keeping this comment. I will remove it or > re-word > it if you think it is nonsensical in it's present form. > > BTW, i still think it is a good idea that only the root user have access to > the > IMA policy. Unless i hear otherwise i am planning to keep the current > functionality.
Exactly! Because only privileged users (eg. root) have access to securityfs files, I don't see the security concern. > > Since responding, I've enabled this feature. Very nice! > > Have you tried it? Yes, being able to see the existing policy is nice. BTW, I haven't compared this patch with the original one yet. Unless there were so many changes so that it isn't the same patch anymore, the patch author should be Zbigniew JasiĆski <z.jasin...@samsung.com>. Any changes you made would be listed in the change log. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
