Hello Vivek, Can you please send to us how your IMA policy looks like.
Thanks, Dmitry On Tue, Feb 12, 2013 at 8:57 PM, Vivek Goyal <[email protected]> wrote: > On Tue, Feb 12, 2013 at 01:52:03PM -0500, Vivek Goyal wrote: >> On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote: >> >> [..] >> > > > > --- a/security/integrity/ima/ima_appraise.c >> > > > > +++ b/security/integrity/ima/ima_appraise.c >> > > > > @@ -124,19 +124,26 @@ int ima_appraise_measurement(int func, struct >> > > > > integrity_iint_cache *iint, >> > > > > enum integrity_status status = INTEGRITY_UNKNOWN; >> > > > > const char *op = "appraise_data"; >> > > > > char *cause = "unknown"; >> > > > > - int rc; >> > > > > + int rc, audit_info = 0; >> > > > > >> > > > > if (!ima_appraise) >> > > > > return 0; >> > > > > - if (!inode->i_op->getxattr) >> > > > > + if (!inode->i_op->getxattr) { >> > > > > + /* getxattr not supported. file couldn't have been >> > > > > signed */ >> > > > > + if (iint->flags & IMA_DIGSIG_OPTIONAL) >> > > > > + return INTEGRITY_PASS; >> > > > > return INTEGRITY_UNKNOWN; >> > > > > + } >> > > > > >> > > > >> > > > Please don't change the result of the appraisal like this. A single >> > > > change can be made towards the bottom of process_measurement(). >> > > >> > > I don't want to pass integrity in all cases of INTEGRITY_UNKNOWN. So >> > > I can probably maintain a bool variable, say pass_appraisal, and set >> > > that here and at the end of function, parse that variable and change >> > > the status accordingly. >> > >> > process_measurement() is the only caller of ima_appraise_measurement(). >> > Leave the results of ima_appraise_measurement() alone. There's already >> > code at the end of process_measurement() which decides what to return. >> > Just modify it based on the appraisal results. >> > > If we do this, audit logs will be filled with integrity unknown failures. > As each unsigned executable file will fail appraisal with INTEGRITY_UNKNOWN > and an audit message will be logged. > > Thanks > Vivek > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
