[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

On Wed, 2012-02-22 at 10:45 +1100, m.cassaniti@xxxxxxxxx wrote:


> Hi Mimi,
> Could you please elaborate on the wiki what the ima_appraise options
> actually mean? I can take a guess, but a simple table explaining
> exactly what they are would be useful. Same with the evm options.

Thanks for the suggestions.

> Additionally, the wiki (as I have read it) suggests that measuring is
> enabled and on when the ima_tcb kernel option is given. From what
> you've written on the list, it should be possible to appraise when a
> file is mmapped, opened or executed according to the policy without
> being measured. Can you make this a bit more explicit in the wiki,
> explaining what the measurement options are to enable/disable
> measurement? If this is done via the policy instead of via a kernel
> option, can you adjust that as well (I don't know if there's a policy
> option of appraise only)?

These are all good questions.  For IMA measurement, the chain of trust
needs to be there before we access any files, including the measurement
policy; so we require a builtin policy.  Is this also necessary for
appraisal?  Perhaps, but I'm not sure.  It might suffice to provide
dracut, or equivalent, with the measurement/appraisal policy name on the
boot command line.

> You're doing some great work here. While I'm not using IMA for
> attestation, I'm planning on verifying all my configuration files and
> executables. The features you've got ready for the 3.3 merge seem to
> fit exactly what I'm after, but I need to know what to set in kernel
> first. Keep up the good work.

Thank you for your support!  Unfortunately, the benefits of the 3.3
features - verifying and appraising files - requires IMA-appraisal,
which is still a proposed patch set.

git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
#next-ima-appraisal

For the IMA-appraisal patches to be upstreamed, we most likely need some
additional reviews/Acks. :)  The patches were last posted
http://marc.info/?l=linux-security-module&m=133062939721505&w=2

thanks,

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]

Powered by Linux