[PATCH v2 0/6] bpf-lsm: Extend interoperability with IMA

Roberto Sassu roberto.sassu at huawei.com
Mon Feb 28 09:12:35 UTC 2022 

> From: Roberto Sassu
> Sent: Monday, February 28, 2022 10:08 AM
> > From: Mimi Zohar [mailto:zohar at linux.ibm.com]
> > Sent: Friday, February 25, 2022 8:11 PM
> > On Fri, 2022-02-25 at 08:41 +0000, Roberto Sassu wrote:
> > > > From: Mimi Zohar [mailto:zohar at linux.ibm.com]
> > > > Sent: Friday, February 25, 2022 1:22 AM
> > > > Hi Roberto,
> > > >
> > > > On Tue, 2022-02-15 at 13:40 +0100, Roberto Sassu wrote:
> > > > > Extend the interoperability with IMA, to give wider flexibility for the
> > > > > implementation of integrity-focused LSMs based on eBPF.
> > > >
> > > > I've previously requested adding eBPF module measurements and signature
> > > > verification support in IMA.  There seemed to be some interest, but
> > > > nothing has been posted.
> > >
> > > Hi Mimi
> > >
> > > for my use case, DIGLIM eBPF, IMA integrity verification is
> > > needed until the binary carrying the eBPF program is executed
> > > as the init process. I've been thinking to use an appended
> > > signature to overcome the limitation of lack of xattrs in the
> > > initial ram disk.
> >
> > I would still like to see xattrs supported in the initial ram disk.
> > Assuming you're still interested in pursuing it, someone would need to
> > review and upstream it.  Greg?
> 
> I could revise this work. However, since appended signatures
> would work too, I would propose to extend this appraisal
> mode to executables, if it is fine for you.

Regarding this patch set, I kindly ask if you could accept it,
after I make the changes suggested.

The changes are simple, and waiting another kernel cycle
seems too long.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua

> > > At that point, the LSM is attached and it can enforce an
> > > execution policy, allowing or denying execution and mmap
> > > of files depending on the digest lists (reference values) read
> > > by the user space side.
> > >
> > > After the LSM is attached, IMA's job would be just to calculate
> > > the file digests (currently, I'm using an audit policy to ensure
> > > that the digest is available when the eBPF program calls
> > > bpf_ima_inode_hash()).
> > >
> > > The main benefit of this patch set is that the audit policy
> > > would not be required and digests are calculated only when
> > > requested by the eBPF program.
> >
> > Roberto, there's an existing eBPF integrity gap that needs to be
> > closed, perhaps not for your usecase, but in general.  Is that
> > something you can look into?
> 
> It could be possible I look into it.
> 
> Roberto
> 
> HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
> Managing Director: Li Peng, Zhong Ronghua

More information about the Linux-security-module-archive mailing list