On Wed, Feb 13, 2013 at 02:14:55PM +0200, Kasatkin, Dmitry wrote: > Hello Vivek, > > Can you please send to us how your IMA policy looks like.
Hi Dmitry, For testing purposes, I am using following. appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional I set this using /sys/kernel/security/policy interface after boot. Thanks Vivek > > Thanks, > Dmitry > > On Tue, Feb 12, 2013 at 8:57 PM, Vivek Goyal <vgo...@redhat.com> wrote: > > On Tue, Feb 12, 2013 at 01:52:03PM -0500, Vivek Goyal wrote: > >> On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote: > >> > >> [..] > >> > > > > --- a/security/integrity/ima/ima_appraise.c > >> > > > > +++ b/security/integrity/ima/ima_appraise.c > >> > > > > @@ -124,19 +124,26 @@ int ima_appraise_measurement(int func, > >> > > > > struct integrity_iint_cache *iint, > >> > > > > enum integrity_status status = INTEGRITY_UNKNOWN; > >> > > > > const char *op = "appraise_data"; > >> > > > > char *cause = "unknown"; > >> > > > > - int rc; > >> > > > > + int rc, audit_info = 0; > >> > > > > > >> > > > > if (!ima_appraise) > >> > > > > return 0; > >> > > > > - if (!inode->i_op->getxattr) > >> > > > > + if (!inode->i_op->getxattr) { > >> > > > > + /* getxattr not supported. file couldn't have been > >> > > > > signed */ > >> > > > > + if (iint->flags & IMA_DIGSIG_OPTIONAL) > >> > > > > + return INTEGRITY_PASS; > >> > > > > return INTEGRITY_UNKNOWN; > >> > > > > + } > >> > > > > > >> > > > > >> > > > Please don't change the result of the appraisal like this. A single > >> > > > change can be made towards the bottom of process_measurement(). > >> > > > >> > > I don't want to pass integrity in all cases of INTEGRITY_UNKNOWN. So > >> > > I can probably maintain a bool variable, say pass_appraisal, and set > >> > > that here and at the end of function, parse that variable and change > >> > > the status accordingly. > >> > > >> > process_measurement() is the only caller of ima_appraise_measurement(). > >> > Leave the results of ima_appraise_measurement() alone. There's already > >> > code at the end of process_measurement() which decides what to return. > >> > Just modify it based on the appraisal results. > >> > > > > If we do this, audit logs will be filled with integrity unknown failures. > > As each unsigned executable file will fail appraisal with INTEGRITY_UNKNOWN > > and an audit message will be logged. > > > > Thanks > > Vivek > > -- > > To unsubscribe from this list: send the line "unsubscribe > > linux-security-module" in > > the body of a message to majord...@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/