| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Feb 2013 16:54:24 -0500 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: Vivek Goyal <vgoyal@...hat.com> Cc: "Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] ima: Support appraise_type=imasig_optional On Mon, 2013-02-18 at 13:21 -0500, Vivek Goyal wrote: > On Thu, Feb 14, 2013 at 10:30:15AM -0500, Mimi Zohar wrote: > > On Thu, 2013-02-14 at 10:03 -0500, Vivek Goyal wrote: > > > On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote: > > > > > > [..] > > > > > Yep, I got that. Default policy gets overruled when a new policy is > > > > > loaded. > > > > > > > > > > In secureboot mode, somehow above rule needs to take effect by default. > > > > > One option would be that kernel can enforce above rule. > > > > > (I guess by adding it to both default_list as well as policy list). > > > > > > > > The default policy is empty, but can be replaced with boot command line > > > > options. The existing options are ima_tcb and/ ima_appraise_tcb. > > > > Please feel free to define an additional policy. > > > > > > I think just defining a new command line option is not sufficient > > > for secureboot use case. > > > > > > - One can easily remove kernel command line option without breaking > > > booting and easily bypass secureboot restrictions. > > > > > - I guess this is one mandated rule by secureboot. There might still > > > be a user policy which can co-exist with this rule. > > > > > > So to me this is not a new policy. It is just one mandatory rule which > > > gets appended to any policy in secureboot mode. Think of it as mandatory > > > rule imposed by kernel for any policy user can define. And in secureboot > > > mode a user can not get rid of this rule. (Otherwise it breaks user > > > space signing and one can bypass secureboot and boot into unsigned > > > kernel). > > > > Your rule allows both signed and unsigned files to be executed. Signed > > files will just have more capabilities. The ima_appraise_tcb option > > requires all files owned by root to be signed, otherwise access is > > denied. The two policies simply can not co-exist. > > Thinking loud. I guess we might have to extend ima policy/rules to allow > multiple appraise rules to co-exist. And access permission will finally > depend on if all the rules in same category return success. ima_appraise_tcb rules: dont_appraise fsmagic=PROC_SUPER_MAGIC . . . dont_appraise fsmagic=SELINUX_MAGIC appraise fowner=0 ima_secureboot: appraise fowner=0 func=bprm appraise_type=optional The ima_appraise_tcb appraise rule includes everything that would match the ima_secureboot rule. It isn't possible to combine the two policies. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists