lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1242306578.4647.3.camel@dyn9002018117.watson.ibm.com>
Date:	Thu, 14 May 2009 09:09:38 -0400
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Eric Paris <eparis@...hat.com>
Cc:	jmorris@...ei.org, linux-kernel@...r.kernel.org,
	Dave Safford <safford@...son.ibm.com>
Subject: Re: [PATCH] IMA: do not measure everything opened by root bydefault

On Wed, 2009-05-13 at 10:54 -0400, Eric Paris wrote:
> On Tue, 2009-05-12 at 17:53 -0400, Mimi Zohar wrote:
> > On Tue, 2009-05-12 at 17:27 -0400, Eric Paris wrote:
> > > On Tue, 2009-05-12 at 17:18 -0400, Mimi Zohar wrote:
> > > > On Tue, 2009-05-12 at 15:14 -0400, Eric Paris wrote:
> > > > > The IMA default policy measures every single file opened by root.  This is
> > > > > terrible for most users.  Consider a system (like mine) with virtual machine
> > > > > images.  When those images are touched (which happens at boot for me) those
> > > > > images are measured.  This is just way too much for the default case.
> > > > > 
> > > > > Signed-off-by: Eric Paris <eparis@...hat.com>
> > > > 
> > > > The question of what to measure is a major issue. If you measure too
> > > > much, performance is affected, but if you measure too little, then the
> > > > measurement list will not contain everything that could affect the
> > > > Trusted Computing Base(TCB), such as configuration files and scripts.
> > > > 
> > > > The solution is not to remove the rule that measures everything read
> > > > by root, but to replace the default IMA configuration file with an LSM
> > > > specific one, which should be done early in the etc init scripts or
> > > > initrd.  LTP contains a sample script to replace the default IMA policy
> > > > (testcases/kernel/security/integrity/ima/tests/ima_policy.sh).
> > > > 
> > > > The following SELinux integrity rule, prevents /var/log/messages from
> > > > being measured. (Dependent on "integrity: lsm audit rule matching fix"
> > > > patch in the security-testing tree.)
> > > > 
> > > > dont_measure func=PATH_CHECK mask=MAY_READ obj_type=var_log_t
> > > > 
> > > > By defining an equivalent SELinux integrity rule for each virtual
> > > > machine image type, the virtual machine images will not be measured.
> > > > This is far better than not measuring everything in the TCB.
> > > > 
> > > > Mimi Zohar
> > > 
> > > While the TCB might be interesting to you I'm going to guess that 99% of
> > > users don't care at all.  I don't think the kernel should ship with such
> > > an overhead just to make the options available to the few.
> > > 
> > > Every distro that wants to ship with IMA compiled in the kernel is going
> > > to need to carry their own ima policy and they are going to have to
> > > change userspace so they can load that policy by default.  This is turn
> > > means that every distro is going to, by default, leave ima
> > > uncustomizable since we can only load a single policy.
> > 
> > I'm not sure I understand the problem here. Although the policy can only
> > be loaded once per boot, it could be based on a configuration file
> > like /etc/measure, which the distro could define. Any system specific
> > changes could be made to this file.
> 
> I'm assuming, although possibly wrongly, that every major distro is
> going to enable the IMA config.  My reason for making that assumption is
> based on the fact tht many distros tend to enable everything they can so
> their users can make their own choices without recompiling.  Kernel
> defaults are supposed to be the default that most people want.  How many
> people on LKML know, or even care, what the TCB is?  By setting the
> kernel default to something that is known to be of interest to very few
> people and which causes a noticeable performance penalty you force the
> work of setting the default out onto the distros.  This is wrong.  If I
> was a distro owner and knew I either had to rewrite the initrd for every
> user or create a new package which runs early in the startup just to
> disable the IMA rules or I could just not enable IMA in the kernel at
> all, which do you think I would choose?  I see that in Fedora 12 kernels
> they chose not to enable IMA.  Why should we take on the maintenance
> burden of another package just to fix the default IMA rules so they are
> reasonable for most of our users?
> 
> I think if you want to make IMA available, the default config needs to
> be reasonable to reasonable people.  The people who care about the TCB
> should be the ones adding custom policy.
> 
> -Eric

If you would like the default to be for the normal user, as grub will
measure the OS and the initrd, perhaps it would make sense for the
default policy not to measure any files.  Then, if the user wants, the
initrd can load a policy to measure any or all of the TCB.

In this scenario, where the default policy doesn't measure files open
for read by root, the policy needs to be loaded in the initrd, as
opposed to in the etc init scripts, so there isn't a gap in the
measurements.

This would certainly make including IMA more viable for the distros,
while still allowing users to choose.

Mimi Zohar


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ