| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTilMKH5M0d8iyACTDLMwZb1WgyJVrd9e04H2cy95@mail.gmail.com>
Date: Wed, 14 Jul 2010 07:08:22 +0900
From: Seiji Munetoh <seiji.munetoh@...il.com>
To: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc: Roberto Sassu <roberto.sassu@...ito.it>,
linux-ima-user@...ts.sourceforge.net,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, Eric Paris <eparis@...hat.com>
Subject: Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule for initramfs
files
On Thu, Jul 8, 2010 at 10:14 PM, Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
> On Tue, 2010-07-06 at 17:08 +0200, Roberto Sassu wrote:
>> This patch modifies the default policy shipped with IMA, in order to avoid measurements
>> of files in the initial ramdisk. Those files can be measured early in the boot process
>> by the bootloader.
>> The patch applies to latest version of the mainline kernel 2.6.35-rc4.
>
> Yes, the initramfs measurements are therefore redundant, as they're
> already included in the initramfs measurement, but perhaps, as the
> number of initramfs is very limited and the individual file measurements
> supplies additional information, it wouldn't hurt to keep the individual
> file measurements as well. These measurements could potentially help in
> identifying initramfs changes.
>
> Would appreciate other opinions before accepting this change.
The hash value of the initramfs is unstable since it was generated
at the time of kernel installation.
So still I want to check the individual used file in initramfs.
regards,
--
Seiji
>
> thanks,
>
> Mimi
>
>> Signed-off-by: Roberto Sassu <roberto.sassu@...ito.it>
>> ---
>> security/integrity/ima/ima_policy.c | 1 +
>> 1 files changed, 1 insertions(+), 0 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index aef8c0a..92d8d0e 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -64,6 +64,7 @@ static struct ima_measure_rule_entry default_rules[] = {
>> {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
>> {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
>> {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
>> + {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
>> {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
>> .flags = IMA_FUNC | IMA_MASK},
>> {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Linux-ima-user mailing list
> Linux-ima-user@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists