Re: [PATCH v4 3/3] Allows reading back the current IMA policy;

Tue, 20 Oct 2015 05:11:26 -0700 

On 15-10-20 08:00:29, Mimi Zohar wrote:
> On Tue, 2015-10-20 at 10:26 +0300, Petko Manolov wrote:
> > On 15-10-19 14:21:42, Mimi Zohar wrote:
> > > On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote:
> > > > When in development it is useful to read back the IMA policy.  This 
> > > > patch
> > > > provides the functionality.  However, this is a potential security hole 
> > > > so
> > > > it should not be used in production-grade kernels.
> > >  
> > > Like the other IMA securityfs files, only root would be able to read it.
> > > Once we start allowing additional rules to be appended to the policy,
> > > being able to view the resulting policy is important.  Is there a reason
> > > for limiting this option to development?
> > 
> > I have not considered allowing non-root users to read the policy - i was 
> > merely 
> > cleaning up the Zbigniew's patch.  I guess it might be useful to be able to 
> > read 
> > the policy when in development mode.
> 
> I guess I wasn't clear.  I don't have a problem with the patch itself, just 
> with the patch description.  What is this "security hole" that the option 
> should ONLY be configured for development?  Only privileged users can view 
> the 
> policy.  I don't see the problem with configuring it in general.  Please 
> remove the comment.

By "security hole" i mean being able to read it at all.  Root or non-root.  
Knowing what the IMA policy is may give the attacker an idea how to circumvent 
it.  I used stronger words in order to attract the user's attention and 
consider 
carefully what the implications are when enabling this option.

However, i do not insist on keeping this comment.  I will remove it or re-word 
it if you think it is nonsensical in it's present form.

BTW, i still think it is a good idea that only the root user have access to the 
IMA policy.  Unless i hear otherwise i am planning to keep the current 
functionality.

> Since responding, I've enabled this feature.  Very nice!

Have you tried it?



                Petko
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to