[PATCH v2 00/15] ima: digest list feature

Matthew Garrett mjg59 at google.com
Thu Nov 9 16:46:22 UTC 2017


On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu <roberto.sassu at huawei.com> wrote:
> On 11/9/2017 3:47 PM, Matthew Garrett wrote:
>> There's no need to have a policy that measures those files, because
>> they're part of the already-measured initramfs. Just set the IMA
>> policy after you've loaded the digest list.
>
>
> The default IMA policy measures files accessed from the initial ram
> disk. It is easier to verify individual files, rather than the whole
> image.

That's a matter of implementation. You're not forced to use the default policy.

>> This seems very over-complicated, and it's unclear why the kernel
>> needs to open the file itself. You *know* that all of userland is
>
>
> You can have a look at ima_fs.c. If appraisal is in enforcing mode,
> direct upload of a policy is not permitted. The kernel reads the policy,
> calculates the digest, and verifies the signature.

Is there an expectation that you'll load additional digest lists at runtime?

>> trustworthy at this point even in the absence of signatures. It seem >
>> reasonable to provide a interface that allows userland to pass a
>> digest list to the kernel, in the same way that userland can pass an
>> IMA policy to the kernel. You can then restrict access to that
>> interface via an LSM.
>
>
> Then digest lists cannot be used alone, without an LSM. Also, verifiers
> have to check the LSM policy to ensure that only the parser was able to
> upload the digest lists.

Only if you want to add additional digest lists at runtime, but yes,
you really want to be verifying the LSM policy in any case.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list