On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
[..]
> > Hi Mimi,
> >
> > Can we add another field to ima_rule_entry, say .enforcement to control
> > the behavior of .action. Possible values of .enforcement could be, say.
> >
> > ALL
> > SIGNED_ONLY
> >
> > ALL will be default. And with .action= MEASURE, one could possibly use
> > .enforcement=SIGNED_ONLY.
>
> Other than the .action being '.action=APPRAISE', not 'MEASURE',
> something like what you're suggesting, could work. How about extending
> the new 'appraise_type=' option? The appraise_type enforces a
> particular type (eg. hash, signature) of verification.
>
> option: appraise_type:= [imasig[,signed_only]]
> eg. appraise_type=imasig,signed_only
Right. Given the fact that signed_only things work only for appraise, it
probably is better to extend ima_appraise= command line option.
I just wrote something based on linus tree. That is introduce
ima_appraise=enforce_labeled_only.
But I would look at your next branch and try introducing
imasig_signed_only.
In the mean time here is the patch I used. I can now boot my unlabeled
system with "ima_appraise_tcb" and "ima_appraise=enforce_labeled_only".
But somehow my system has slowed down significantly and I can feel
slow boot as well as slow file operations on terminal.
Thanks
Vivek
---
Documentation/kernel-parameters.txt | 3 ++-
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_appraise.c | 6 ++++++
3 files changed, 9 insertions(+), 1 deletion(-)
Index: linux-2.6/security/integrity/ima/ima_appraise.c
===================================================================
--- linux-2.6.orig/security/integrity/ima/ima_appraise.c 2013-01-18
01:29:29.000000000 -0500
+++ linux-2.6/security/integrity/ima/ima_appraise.c 2013-01-29
14:56:47.636620835 -0500
@@ -24,6 +24,8 @@ static int __init default_appraise_setup
ima_appraise = 0;
else if (strncmp(str, "fix", 3) == 0)
ima_appraise = IMA_APPRAISE_FIX;
+ else if (strncmp(str, "enforce_labeled_only", 21) == 0)
+ ima_appraise = IMA_APPRAISE_ENFORCE_LABELED_ONLY;
return 1;
}
@@ -144,6 +146,10 @@ out:
ima_fix_xattr(dentry, iint);
status = INTEGRITY_PASS;
}
+ if ((ima_appraise & IMA_APPRAISE_ENFORCE_LABELED_ONLY) &&
+ (status == INTEGRITY_NOLABEL))
+ status = INTEGRITY_PASS;
+
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
op, cause, rc, 0);
} else {
Index: linux-2.6/security/integrity/ima/ima.h
===================================================================
--- linux-2.6.orig/security/integrity/ima/ima.h 2013-01-18 01:29:29.000000000
-0500
+++ linux-2.6/security/integrity/ima/ima.h 2013-01-29 14:51:25.762610948
-0500
@@ -140,6 +140,7 @@ void ima_delete_rules(void);
#define IMA_APPRAISE_ENFORCE 0x01
#define IMA_APPRAISE_FIX 0x02
#define IMA_APPRAISE_MODULES 0x04
+#define IMA_APPRAISE_ENFORCE_LABELED_ONLY 0x08
#ifdef CONFIG_IMA_APPRAISE
int ima_appraise_measurement(struct integrity_iint_cache *iint,
Index: linux-2.6/Documentation/kernel-parameters.txt
===================================================================
--- linux-2.6.orig/Documentation/kernel-parameters.txt 2013-01-18
01:29:29.000000000 -0500
+++ linux-2.6/Documentation/kernel-parameters.txt 2013-01-29
14:52:44.455613365 -0500
@@ -1064,7 +1064,8 @@ bytes respectively. Such letter suffixes
Set number of hash buckets for inode cache.
ima_appraise= [IMA] appraise integrity measurements
- Format: { "off" | "enforce" | "fix" }
+ Format: { "off" | "enforce" | "fix" |
+ "enforce_labeled_only}
default: "enforce"
ima_appraise_tcb [IMA]
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
