|
|
|
Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
On 02/21/2012 02:01 PM, Mimi Zohar wrote:
On Tue, 2012-02-21 at 11:05 +0100, Roberto Sassu wrote:Ok. this should be not a problem because all errors (IMA support not included in the kernel, policy file access denied, ...) are ignored except for the mmap() failure.Hi Roberto, IMA should never return an error, only IMA-appraisal should enforce file integrity. Can you please show me or send a patch?
Hi Mimi do you intend a patch to reintroduce the 'ima=' kernel parameter for enabling/disabling IMA? If so, i have not actually thought about this but it should be not difficult to implement. Probably we can support these modes: - disabled: IMA returns immediately to the system call; - measure_only: IMA performs only measurements and does not return any error to the system call; - appraise_permissive: IMA stores measurements in the files extended attribute and in the measurements list but does not return any error to the system call even if the integrity check fails; - appraise_enforce: IMA does the same as the previous mode but returns an error to the system call if the integrity check fails. Further, we can have a simple user-space package which will contain the documentation about how to write a policy (so that it will be more easy to find in respect to the whole kernel documentation) and a tool that will fix/verify the measurements stored in the files extended attribute. Having a separate user-space package will simplify the interaction for users with the IMA kernel-space portion and will allow to determine whether the IMA support should be enabled in Systemd. Thanks Roberto Sassu
thanks, Mimi
-- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|