| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 May 2009 17:27:18 -0400 From: Eric Paris <eparis@...hat.com> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: jmorris@...ei.org, linux-kernel@...r.kernel.org, Dave Safford <safford@...son.ibm.com> Subject: Re: [PATCH] IMA: do not measure everything opened by root by default On Tue, 2009-05-12 at 17:18 -0400, Mimi Zohar wrote: > On Tue, 2009-05-12 at 15:14 -0400, Eric Paris wrote: > > The IMA default policy measures every single file opened by root. This is > > terrible for most users. Consider a system (like mine) with virtual machine > > images. When those images are touched (which happens at boot for me) those > > images are measured. This is just way too much for the default case. > > > > Signed-off-by: Eric Paris <eparis@...hat.com> > > The question of what to measure is a major issue. If you measure too > much, performance is affected, but if you measure too little, then the > measurement list will not contain everything that could affect the > Trusted Computing Base(TCB), such as configuration files and scripts. > > The solution is not to remove the rule that measures everything read > by root, but to replace the default IMA configuration file with an LSM > specific one, which should be done early in the etc init scripts or > initrd. LTP contains a sample script to replace the default IMA policy > (testcases/kernel/security/integrity/ima/tests/ima_policy.sh). > > The following SELinux integrity rule, prevents /var/log/messages from > being measured. (Dependent on "integrity: lsm audit rule matching fix" > patch in the security-testing tree.) > > dont_measure func=PATH_CHECK mask=MAY_READ obj_type=var_log_t > > By defining an equivalent SELinux integrity rule for each virtual > machine image type, the virtual machine images will not be measured. > This is far better than not measuring everything in the TCB. > > Mimi Zohar While the TCB might be interesting to you I'm going to guess that 99% of users don't care at all. I don't think the kernel should ship with such an overhead just to make the options available to the few. Every distro that wants to ship with IMA compiled in the kernel is going to need to carry their own ima policy and they are going to have to change userspace so they can load that policy by default. This is turn means that every distro is going to, by default, leave ima uncustomizable since we can only load a single policy. Maybe we'd like to allow multiple policy loads? That doesn't seem great to me... If the 'right default' for every distro's common user is to not read and measure every single file root touches it's the 'right default' in the kernel. Any distro owner want to disagree? -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists