On 15-10-20 08:00:29, Mimi Zohar wrote: > On Tue, 2015-10-20 at 10:26 +0300, Petko Manolov wrote: > > On 15-10-19 14:21:42, Mimi Zohar wrote: > > > On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote: > > > > When in development it is useful to read back the IMA policy. This > > > > patch > > > > provides the functionality. However, this is a potential security hole > > > > so > > > > it should not be used in production-grade kernels. > > > > > > Like the other IMA securityfs files, only root would be able to read it. > > > Once we start allowing additional rules to be appended to the policy, > > > being able to view the resulting policy is important. Is there a reason > > > for limiting this option to development? > > > > I have not considered allowing non-root users to read the policy - i was > > merely > > cleaning up the Zbigniew's patch. I guess it might be useful to be able to > > read > > the policy when in development mode. > > I guess I wasn't clear. I don't have a problem with the patch itself, just > with the patch description. What is this "security hole" that the option > should ONLY be configured for development? Only privileged users can view > the > policy. I don't see the problem with configuring it in general. Please > remove the comment.
By "security hole" i mean being able to read it at all. Root or non-root. Knowing what the IMA policy is may give the attacker an idea how to circumvent it. I used stronger words in order to attract the user's attention and consider carefully what the implications are when enabling this option. However, i do not insist on keeping this comment. I will remove it or re-word it if you think it is nonsensical in it's present form. BTW, i still think it is a good idea that only the root user have access to the IMA policy. Unless i hear otherwise i am planning to keep the current functionality. > Since responding, I've enabled this feature. Very nice! Have you tried it? Petko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html