lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 16 Nov 2020 13:49:03 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Al Viro <viro@...iv.linux.org.uk>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Christoph Hellwig <hch@...radead.org>,
        Roberto Sassu <roberto.sassu@...wei.com>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Silviu Vlasceanu <Silviu.Vlasceanu@...wei.com>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>
Subject: Re: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in
 ima_calc_file_hash()

On Mon, 2020-11-16 at 18:08 +0000, Al Viro wrote:
> On Mon, Nov 16, 2020 at 09:37:32AM -0800, Linus Torvalds wrote:
> > On Mon, Nov 16, 2020 at 8:47 AM Mimi Zohar <zohar@...ux.ibm.com> wrote:
> > >
> > > This discussion seems to be going down the path of requiring an IMA
> > > filesystem hook for reading the file, again.  That solution was
> > > rejected, not by me.  What is new this time?
> > 
> > You can't read a non-read-opened file. Not even IMA can.
> > 
> > So don't do that then.
> > 
> > IMA is doing something wrong. Why would you ever read a file that can't be read?
> >
> > Fix whatever "open" function instead of trying to work around the fact
> > that you opened it wrong.
> 
> IMA pulls that crap on _every_ open(2), including O_WRONLY.  As far as I'm
> concerned, the only sane answer is not enabling that thing on your builds;
> they are deeply special and I hadn't been able to reason with them no
> matter how much I tried ;-/

The builtin IMA policies are only meant to be used until a custom can
be loaded.  The decision as to what should be measured or verified is
left up to the system owner.

In terms of the architecture specific policy rules, there are rules to:
- measure the kexec kernel image and kernel modules
- verify the kexec kernel image and kernel modules appended signatures

These rules should be pretty straight forward to verify.

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ