[PATCH v2 0/6] bpf-lsm: Extend interoperability with IMA

Roberto Sassu roberto.sassu at huawei.com
Mon Feb 28 09:07:33 UTC 2022


> From: Mimi Zohar [mailto:zohar at linux.ibm.com]
> Sent: Friday, February 25, 2022 8:11 PM
> On Fri, 2022-02-25 at 08:41 +0000, Roberto Sassu wrote:
> > > From: Mimi Zohar [mailto:zohar at linux.ibm.com]
> > > Sent: Friday, February 25, 2022 1:22 AM
> > > Hi Roberto,
> > >
> > > On Tue, 2022-02-15 at 13:40 +0100, Roberto Sassu wrote:
> > > > Extend the interoperability with IMA, to give wider flexibility for the
> > > > implementation of integrity-focused LSMs based on eBPF.
> > >
> > > I've previously requested adding eBPF module measurements and signature
> > > verification support in IMA.  There seemed to be some interest, but
> > > nothing has been posted.
> >
> > Hi Mimi
> >
> > for my use case, DIGLIM eBPF, IMA integrity verification is
> > needed until the binary carrying the eBPF program is executed
> > as the init process. I've been thinking to use an appended
> > signature to overcome the limitation of lack of xattrs in the
> > initial ram disk.
> 
> I would still like to see xattrs supported in the initial ram disk.
> Assuming you're still interested in pursuing it, someone would need to
> review and upstream it.  Greg?

I could revise this work. However, since appended signatures
would work too, I would propose to extend this appraisal
mode to executables, if it is fine for you.

> > At that point, the LSM is attached and it can enforce an
> > execution policy, allowing or denying execution and mmap
> > of files depending on the digest lists (reference values) read
> > by the user space side.
> >
> > After the LSM is attached, IMA's job would be just to calculate
> > the file digests (currently, I'm using an audit policy to ensure
> > that the digest is available when the eBPF program calls
> > bpf_ima_inode_hash()).
> >
> > The main benefit of this patch set is that the audit policy
> > would not be required and digests are calculated only when
> > requested by the eBPF program.
> 
> Roberto, there's an existing eBPF integrity gap that needs to be
> closed, perhaps not for your usecase, but in general.  Is that
> something you can look into?

It could be possible I look into it.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua



More information about the Linux-security-module-archive mailing list