Re: [systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On 02/20/2012 08:18 PM, Lennart Poettering wrote:
On Mon, 20.02.12 20:06, Roberto Sassu (roberto.sassu@xxxxxxxxx) wrote:We moved SELinux loading out of the initrd into systemd, in order to support fully featured initrd-less boots. I don't think we should reopen this problem set by having IMA in the initrd. I believe IMA should be treated pretty much exactly like SELinux here: the policy should be loaded from PID1 and it needs to be a compile time option, and it needs a kernel cmdline option to disable it (i.e. like selinux=0).If the SELinux module in dracut is to be considered definitively broken probably also the IMA module should be removed, because it will not be possible to load policies with LSM rules. But i don't know how this feature can be supported by distributions without Systemd installed.Well, if the rumours I keep hearing are true Ubuntu might join the systemd camp too after their LTS release. Maybe the supporting non-systemd systems issues solves itself by that for you?
The code for loading IMA custom policies was placed in the initial ramdisk with the purpose to avoid distribution specific dependencies. However, since the SELinux initialization has been moved to Systemd and Systemd itself will be used by the major distributions, i think placing the IMA code here is the best solution, even if it is not the most general.
Regarding the kernel option, actually there is no a specific parameter to disable IMA. However, it can be introduced in the patches proposed by Mimi Zohar about the 'ima-appraisal' feature. This can allow to disable IMA or to put it in permissive/enforce mode as it happens for example in SELinux.Whether there is a kernel option to enable/disable IMA will not stop these patches from getting into systemd. But I am quite sure they will stop IMA from getting any wider coverage in the mainstream distributions (if you care for that).
Actually, IMA doesn't take any action if the policy is not provided nor it consumes additional system resources. Further, in the current implementation, even if IMA measures files it does not return any error to the system call being executed.
Oh, and one more thing: it matters to me that this doesn't break my build. So it needs to allow me booting when enabled in configure, but without any IMA policy around.
Ok. this should be not a problem because all errors (IMA support not included in the kernel, policy file access denied, ...) are ignored except for the mmap() failure. Thanks Roberto Sassu
-- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html