[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1360878870.3524.726.camel@falcor1.watson.ibm.com>
Date: Thu, 14 Feb 2013 16:54:30 -0500
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: Vivek Goyal <vgoyal@...hat.com>
Cc: "Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] ima: Support appraise_type=imasig_optional
On Thu, 2013-02-14 at 15:57 -0500, Vivek Goyal wrote:
> On Thu, Feb 14, 2013 at 03:54:45PM -0500, Vivek Goyal wrote:
> > On Thu, Feb 14, 2013 at 02:49:16PM -0500, Mimi Zohar wrote:
> >
> > [..]
> > > > > I think you're making this more complicated than it needs to be. Allow
> > > > > the execution unless the file failed signature verification. The
> > > > > additional capability is given only if the signature verification
> > > > > succeeds.
> > > >
> > > > I am just trying to bring it inline with module signature verification.
> > > > There also module loading fails if signatures are present but kernel
> > > > can't verify it.
> > >
> > > A specific hook is defined for kernel module signature verification,
> > > which is enabled/disabled in Kconfig. When enabled, only signed modules
> > > are loaded. The kernel module hook does not verify the integrity of the
> > > userspace application (eg. insmod, modprobe), but of the kernel module
> > > being loaded.
> > >
> > > Your original patches verified the integrity of the userspace
> > > application kexec, not the image being loaded. ima_bprm_check()
> > > verifies the integrity of executables. To permit both signed and
> > > unsigned files to execute, we defined the 'optional' IMA policy flag,
> > > with the intention of giving more capability to signed executables.
> > >
> > > Unless we define a kexec specific hook for verifying kernel images, it's
> > > not the same.
> >
> > I think we are talking of two different things here.
> >
> > I am referring to kernel module signing where signatures are appended
> > to module (not IMA hook).
> >
> > Also I am just referring to behavior about what happens if some error
> > happens while signature verification.
> >
> > - If signature verification fails, it is clear what to do.
> > - If signature verification passes, it is clear what to do.
> > - Grey area is, what happens if some error is encountered during signature
> > verification. Should the module loading be allowed/disallowed. Looking
> > at the module loading code, once it is determined that module has
> > signature appended to it, module loading fails if some error occurs
> > during signature verification.
There better not be any gray area, if CONFIG_MODULE_SIG_FORCE is
enabled, only validly signed modules should be loaded.
> > So I am just referring to that fact and trying to draw parallels between
> > error handling during module signature verification and error handling
> > when file appraisal happens in IMA.
> > There can be two options.
> >
> > - Disallow execution only if signature verification fails. If some error
> > happens during verification, ignore it, let the executable continue.
> > Just that it does not get extra capability.
> >
> > - Disallow execution only if executable is not signed or it has valid
> > signature. If executable is signed and some error happens during the
> > process of verifying signature, execution is denied.
> >
>
> Little typo in second option. I meant "Allow execution only if executable
> is not signed or it has valid signatures".
Executables will be run with or without a valid signature. The only
fair comparison would be between loading the kernel module and setting a
capability. Both are only done based on a valid signature. Of the two
options, I would choose the second.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists