[PATCH v3 3/4] ima: fail signature verification based on policy
Serge E. Hallyn
serge at hallyn.com
Mon Mar 12 19:28:06 UTC 2018
Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> This patch addresses the fuse privileged mounted filesystems in
> environments which are unwilling to accept the risk of trusting the
> signature verification and want to always fail safe, but are for example
> using a pre-built kernel.
> This patch defines a new builtin policy named "fail_securely", which can
> be specified on the boot command line as an argument to "ima_policy=".
> Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
> Cc: Miklos Szeredi <miklos at szeredi.hu>
> Cc: Seth Forshee <seth.forshee at canonical.com>
> Cc: Eric W. Biederman <ebiederm at xmission.com>
> Cc: Dongsu Park <dongsu at kinvolk.io>
> Cc: Alban Crequy <alban at kinvolk.io>
> Cc: Serge E. Hallyn <serge at hallyn.com>
Acked-by: Serge Hallyn <serge at hallyn.com>
> Changelog v3:
> - Rename the builtin policy name
> Changelog v2:
> - address the fail safe environement
> Documentation/admin-guide/kernel-parameters.txt | 8 +++++++-
> security/integrity/ima/ima_appraise.c | 11 ++++++-----
> security/integrity/ima/ima_main.c | 3 ++-
> security/integrity/ima/ima_policy.c | 5 +++++
> security/integrity/integrity.h | 1 +
> 5 files changed, 21 insertions(+), 7 deletions(-)
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 1d1d53f85ddd..2cc17dc7ab84 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1525,7 +1525,8 @@
> ima_policy= [IMA]
> The builtin policies to load during IMA setup.
> - Format: "tcb | appraise_tcb | secure_boot"
> + Format: "tcb | appraise_tcb | secure_boot |
> + fail_securely"
> The "tcb" policy measures all programs exec'd, files
> mmap'd for exec, and all files opened with the read
> @@ -1540,6 +1541,11 @@
> of files (eg. kexec kernel image, kernel modules,
> firmware, policy, etc) based on file signatures.
> + The "fail_securely" policy forces file signature
> + verification failure also on privileged mounted
> + filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
> + flag.
> ima_tcb [IMA] Deprecated. Use ima_policy= instead.
> Load a policy which meets the needs of the Trusted
> Computing Base. This means IMA will measure all
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 4bafb397ee91..3034935e1eb3 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -304,12 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func,
> * File signatures on some filesystems can not be properly verified.
> - * On these filesytems, that are mounted by an untrusted mounter,
> - * fail the file signature verification.
> + * On these filesytems, that are mounted by an untrusted mounter or
How about "When such filesystems are mounted by an untrusted mounter or
on a system not willing to accept such a risk, ..." ?
(also filesytems is misspelled :)
> + * for systems not willing to accept the risk, fail the file signature
> + * verification.
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive