Re: [PATCH v1 7/7] ima: require signed IMA policy

Thu, 10 Dec 2015 12:27:14 -0800 

On Thu, 2015-12-10 at 21:12 +0200, Petko Manolov wrote:

> On 15-12-08 13:01:24, Mimi Zohar wrote:
> > Require the IMA policy to be signed when additional rules can be added.
> > 
> > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> > ---
> >  security/integrity/ima/ima_policy.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/security/integrity/ima/ima_policy.c 
> > b/security/integrity/ima/ima_policy.c
> > index 87614a6..6248ae23 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -131,6 +131,10 @@ static struct ima_rule_entry default_appraise_rules[] 
> > = {
> >     {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = 
> > IMA_FSMAGIC},
> >     {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
> >     {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = 
> > IMA_FSMAGIC},
> > +#ifdef CONFIG_IMA_WRITE_POLICY
> > +   {.action = APPRAISE, .read_func = POLICY_CHECK,
> > +   .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> > +#endif
> 
> The only time this is not going to work is when there is no IMA key in the 
> keyring and there is no default policy so you need to load one at boot time.  
> This case does not make much sense, however, so i assume the patch is fine.

Up to now, the policy could be replaced only once, which was normally
done in the initramfs.  With the ability to extend the IMA policy on a
running system, it is important that these policy extensions be signed.

To clarify, this patch modifies the builtin appraise policy, so that the
subsequent policy needs to be signed.  If the system is not booted with
the built-in appraise policy  (not a good idea), then the policy being
loaded won't need to be signed.

It is safe for the certificate file not to be signed, as the cert itself
must be signed by a key on either of the trusted (eg. system or ima_mok)
keyrings for it to be added to the .ima keyring.

Thank you reviewing the patch and making  sure it doesn't break your
usecase scenario.

Mimi

> >  #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
> >     {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
> >  #else
> 
> 
>               Petko
> 


--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to