This is a request for comments for updates to the integrity service
framework, previously accepted into -mm, and EVM a new integrity service
provider. A new LSM module called Integrity Based Access Control(IBAC),
a consumer of the integrity framework API, will be posted separately to
the LSM
-2.6.21-rc3-mm2.orig/security/integrity_dummy.c
+++ linux-2.6.21-rc3-mm2/security/integrity_dummy.c
@@ -3,7 +3,7 @@
*
* Instantiate integrity subsystem
*
- * Copyright (C) 2005,2006 IBM Corporation
+ * Copyright (C) 2005,2006,2007 IBM Corporation
* Author: Mimi Zohar [EMAIL PROTECTED
This patch places calls to the new integrity hooks in the appropriate
places in the fs directory. It is not meant in any way to be viewed
as a complete set, but used as a basis for an initial discussion.
Index: linux-2.6.21-rc3-mm2/fs/ext3/xattr_security.c
===
--- /dev/null
+++ linux-2.6.21-rc3-mm2/security/evm/evm_config.c
@@ -0,0 +1,129 @@
+/*
+ * EVM - Extended Verification Module
+ *
+ * Copyright (C) 2005,2006,2007 IBM Corporation
+ * Author: Mimi Zohar [EMAIL PROTECTED]
+ *Kylene Hall [EMAIL PROTECTED]
+ *
+ * This program
This is a re-release of Integrity Measurement Architecture(IMA) as a
method of providing support for the integrity service framework API
integrity_measure() call. When integrity_measure() is called, IMA
submits the measurement (hash) of the file to the TPM chip, for
inclusion in one of the chip's
Index: linux-2.6.21-rc3-mm2/drivers/char/tpm/tpm.c
===
--- linux-2.6.21-rc3-mm2.orig/drivers/char/tpm/tpm.c
+++ linux-2.6.21-rc3-mm2/drivers/char/tpm/tpm.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004 IBM Corporation
+ * Copyright (C)
This is a minimal subset of Peter Staubach's July patch, updated to
apply to the latest kernel. The subset was chosen to demonstrate that
mmaped files are hashed and hmac properly by EVM after being modified
when a file's mtime is updated correctly.
Index: linux-2.6.21-rc3-mm2/fs/inode.c
attributes, 2 hooks are for catching
changes to the extended attributes, one is for updating the extended
attributes when the file closes, and d_instantiate is used for
initialization. Is this excessive? How else would you design
integrity, without using the LSM hooks?
Mimi Zohar
-
To unsubscribe
On Thu, 2007-03-08 at 21:16 +0300, Dmitriy Monakhov wrote:
Mimi Zohar [EMAIL PROTECTED] writes:
This patch places calls to the new integrity hooks in the appropriate
places in the fs directory. It is not meant in any way to be viewed
as a complete set, but used as a basis for an initial
, integrity-service-api-and-dummy-provider.patch contains:
integrity_verify_metadata, integrity_verify_data, and integrity_measure,
which could be referred to as either LIM hooks or as the API. This patch
set adds 8 new LIM hooks.
Mimi Zohar
-
To unsubscribe from this list: send the line unsubscribe
@@
+/*
+ * Integrity Based Access Control (IBAC)
+ *
+ * Copyright (C) 2007 IBM Corporation
+ * Author: Mimi Zohar [EMAIL PROTECTED]
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
On Thu, 2007-03-08 at 15:08 -0800, Randy Dunlap wrote:
On Thu, 08 Mar 2007 17:58:16 -0500 Mimi Zohar wrote:
This is a request for comments for a new Integrity Based Access
Control(IBAC) LSM module which bases access control decisions
on the new integrity framework services
On Thu, 2007-03-08 at 22:19 -0500, [EMAIL PROTECTED] wrote:
On Thu, 08 Mar 2007 17:58:16 EST, Mimi Zohar said:
This is a request for comments for a new Integrity Based Access
Control(IBAC) LSM module which bases access control decisions
on the new integrity framework services
On Tue, 2007-03-13 at 10:31 -0500, Serge E. Hallyn wrote:
Quoting Mimi Zohar ([EMAIL PROTECTED]):
On Thu, 2007-03-08 at 22:19 -0500, [EMAIL PROTECTED] wrote:
On Thu, 08 Mar 2007 17:58:16 EST, Mimi Zohar said:
This is a request for comments for a new Integrity Based Access
Control
/null
+++ linux-2.6.21-rc3-mm2/security/ibac/ibac_main.c
@@ -0,0 +1,126 @@
+/*
+ * Integrity Based Access Control (IBAC)
+ *
+ * Copyright (C) 2007 IBM Corporation
+ * Author: Mimi Zohar [EMAIL PROTECTED]
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under
On Tue, 2007-03-13 at 19:27 -0700, Seth Arnold wrote:
On Thu, Mar 08, 2007 at 05:58:16PM -0500, Mimi Zohar wrote:
This is a request for comments for a new Integrity Based Access
Control(IBAC) LSM module which bases access control decisions
on the new integrity framework services.
Thanks
We have addressed the issues raised in the previous RFC postings and
are now submitting these for your consideration.
This is a set of updates to the integrity service framework, previously
accepted into -mm, EVM a new integrity service provider, and a new LSM
module called Integrity Based
This patch adds integrity hooks used to implement an integrity service
provider and updates the previously submitted dummy provider to
support these new hooks.
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
signed-off-by: Kylene Hall [EMAIL PROTECTED]
---
Index: linux-2.6.21-rc4-mm1/security
This patch places calls to the new integrity hooks in the appropriate
places in the fs directory. It is not meant in any way to be viewed
as a complete set, but used as a basis for an initial discussion.
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
signed-off-by: Kylene Hall [EMAIL PROTECTED
or not the integrity
measurement of the file data matches the value stored as an extended
attribute; and for integrity_measure(), if IMA is configured and
enabled, EVM passes the integrity measurement to it.
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
signed-off-by: Kylene Hall [EMAIL PROTECTED]
---
Index: linux
. If
included in the kernel, IMA can also be enabled or disabled on the
kernel command line with evm_enable_ima=0.
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
signed-off-by: Kylene Hall [EMAIL PROTECTED]
---
Index: linux-2.6.21-rc4-mm1/security/evm/Kconfig
before calling munmap, the mtime is eventually
updated, but not before file_close is called. This patch forces the
mtime for mmaped files to be updated in a timely manner.
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
Index: linux-2.6.21-rc4-mm1/mm/mmap.c
and SECURITY_IBAC_BOOTPARAM default value
- Prefixed all log messages with ibac:
- Redefined a couple of 'int' variables as 'static int'
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
---
Index: linux-2.6.21-rc4-mm1/security/ibac/Kconfig
signed-off-by: Kylene Hall [EMAIL PROTECTED]
---
Index: linux-2.6.21-rc4-mm1/drivers/char/tpm/tpm.c
===
--- linux-2.6.21-rc4-mm1.orig/drivers/char/tpm/tpm.c
+++ linux-2.6.21-rc4-mm1/drivers/char/tpm/tpm.c
@@ -1,5 +1,5 @@
/*
- *
.)
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
---
Index: linux-2.6.21-rc4-mm1/security/slim/slm_main.c
===
--- linux-2.6.21-rc4-mm1.orig/security/slim/slm_main.c
+++ linux-2.6.21-rc4-mm1/security/slim/slm_main.c
@@ -1,7 +1,7
This patch addresses the 2.6.21-rc4 LSM getprocattr hook API change.
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
---
Index: linux-2.6.21-rc4-mm1/security/slim/slm_main.c
===
--- linux-2.6.21-rc4-mm1.orig/security/slim/slm_main.c
On Sun, 2007-03-25 at 00:16 -0800, Andrew Morton wrote:
On Fri, 23 Mar 2007 12:09:36 -0400 Mimi Zohar [EMAIL PROTECTED] wrote:
+++ linux-2.6.21-rc4-mm1/security/evm/Kconfig
@@ -0,0 +1,17 @@
+config INTEGRITY_EVM
+ boolean EVM support
+ depends on INTEGRITY KEYS
+ select
On Sun, 2007-03-25 at 21:28 -0800, Andrew Morton wrote:
On Sun, 25 Mar 2007 23:13:02 -0400 Mimi Zohar [EMAIL PROTECTED] wrote:
On Sun, 2007-03-25 at 00:16 -0800, Andrew Morton wrote:
On Fri, 23 Mar 2007 12:09:36 -0400 Mimi Zohar [EMAIL PROTECTED] wrote:
+++ linux-2.6.21-rc4-mm1
The following patch addresses the missing initialization values bug.
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
---
Index: linux-2.6.21-rc4-mm1/security/integrity_dummy.c
===
--- linux-2.6.21-rc4-mm1.orig/security
On Sun, 2007-03-25 at 00:26 -0800, Andrew Morton wrote:
On Fri, 23 Mar 2007 12:09:58 -0400 Mimi Zohar [EMAIL PROTECTED] wrote:
mmaped files are hashed and hmac'ed properly by EVM after being modified
when the file's mtime is updated correctly. Peter Staubach's 'memory
mapped files
On Mon, 2007-03-26 at 13:23 -0500, Serge E. Hallyn wrote:
Quoting Andrew Morton ([EMAIL PROTECTED]):
On Fri, 23 Mar 2007 12:09:36 -0400 Mimi Zohar [EMAIL PROTECTED] wrote:
This is a re-release of EVM as an integrity service provider.
What a huge set of patches.
Frankly, I don't
!
Mimi Zohar
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This patch corrects the naming of global and other identifiers.
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
signed-off-by: Kylene Hall [EMAIL PROTECTED]
---
---
security/evm/ima/ima.h | 24
security/evm/ima/ima_fs.c| 18 +-
security/evm/ima
This patch corrects calling an __exit function from a non-_-exit function.
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
signed-off-by: Kylene Hall [EMAIL PROTECTED]
---
security/evm/ima/ima_init.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.21-rc5-mm2/security/evm
This patch cleanups the few Lindent and sparse msgs
signed-off-by: Mimi Zohar [EMAIL PROTECTED]
signed-off-by: Kylene Hall [EMAIL PROTECTED]
---
Index: linux-2.6.21-rc5-mm2/security/evm/ima/ima.h
===
--- linux-2.6.21-rc5-mm2.orig
On Thu, 2012-11-01 at 09:53 -0400, Vivek Goyal wrote:
On Thu, Nov 01, 2012 at 09:10:03AM -0400, Vivek Goyal wrote:
[..]
- So say we can sign /sbin/kexec at build time and distros can do that.
- Verify the signature at exec time using kernel keyring and if
verification happens
On Wed, 2012-09-26 at 13:16 +0930, Rusty Russell wrote:
David Howells dhowe...@redhat.com writes:
The module signing patches provide:
- Some fixes to Rusty's patch. Also an additional patch to extend the
policy
handling for modules signed with an unknown key and to handle FIPS
On Wed, 2012-10-03 at 02:44 -0700, Eric W. Biederman wrote:
Linus Torvalds torva...@linux-foundation.org writes:
On Tue, Oct 2, 2012 at 4:35 AM, James Morris jmor...@namei.org wrote:
Highlights:
- Integrity: add local fs integrity verification to detect offline attacks
- Integrity:
On Thu, 2012-10-04 at 15:09 +0930, Rusty Russell wrote:
Kees Cook keesc...@chromium.org writes:
On Thu, Sep 20, 2012 at 3:14 PM, Kees Cook keesc...@chromium.org wrote:
As part of the effort to create a stronger boundary between root and
kernel, Chrome OS wants to be able to enforce that
On Fri, 2012-10-05 at 17:42 +0300, Kasatkin, Dmitry wrote:
Hello,
On Fri, Oct 5, 2012 at 4:47 AM, Rusty Russell ru...@rustcorp.com.au wrote:
Hi all,
Had a talk with Mimi, and IMA still wants xattr signatures on
modules like they have for other files with EVM. With Kees'
On Mon, 2012-11-05 at 18:20 +0100, Takashi Iwai wrote:
Add a feature to check the firmware signature, specified via Kconfig
CONFIG_FIRMWARE_SIG. The signature check is performed only for the
direct fw loading without udev. Also no check for built-in firmware
blobs is implemented yet.
On Thu, 2012-11-08 at 14:40 -0500, Vivek Goyal wrote:
On Tue, Nov 06, 2012 at 03:51:59PM -0800, Eric W. Biederman wrote:
[..]
Thnking more about executable signature verification, I have another question.
While verifyign the signature, we will have to read the whole executable
in
On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
Matthew Garrett m...@redhat.com writes:
On Tue, Oct 23, 2012 at 10:59:20AM -0400, Vivek Goyal wrote:
But what about creation of a new program which can call
On Wed, 2012-10-24 at 13:36 -0400, Vivek Goyal wrote:
On Tue, Oct 23, 2012 at 09:19:27AM -0700, Eric W. Biederman wrote:
Vivek Goyal vgo...@redhat.com writes:
On Tue, Oct 23, 2012 at 09:18:54AM -0400, Vivek Goyal wrote:
[..]
There are 3 options for trusting /sbin/kexec. There
On Wed, 2012-10-24 at 23:44 -0700, Kees Cook wrote:
On Wed, Oct 24, 2012 at 10:43 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
Matthew Garrett m...@redhat.com writes
On Thu, 2012-10-25 at 10:10 -0400, Vivek Goyal wrote:
On Thu, Oct 25, 2012 at 02:10:01AM -0400, Mimi Zohar wrote:
[..]
IMA-appraisal verifies the integrity of file data, while EVM verifies
the integrity of the file metadata, such as LSM and IMA-appraisal
labels. Both 'security.ima
On Thu, 2012-10-25 at 09:54 -0400, Vivek Goyal wrote:
On Thu, Oct 25, 2012 at 01:43:59AM -0400, Mimi Zohar wrote:
On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
Matthew Garrett m...@redhat.com writes
On Thu, 2012-10-25 at 14:55 -0400, Vivek Goyal wrote:
On Thu, Oct 25, 2012 at 02:40:21PM -0400, Mimi Zohar wrote:
On Thu, 2012-10-25 at 10:10 -0400, Vivek Goyal wrote:
On Thu, Oct 25, 2012 at 02:10:01AM -0400, Mimi Zohar wrote:
[..]
IMA-appraisal verifies the integrity of file
On Fri, 2012-10-26 at 03:39 +0100, Matthew Garrett wrote:
On Thu, Oct 25, 2012 at 09:15:58PM -0400, Mimi Zohar wrote:
On a running system, the package installer, after verifying the package
integrity, would install each file with the associated 'security.ima'
extended attribute
On Fri, 2012-10-26 at 19:19 +0100, Matthew Garrett wrote:
On Fri, Oct 26, 2012 at 01:59:34PM -0400, Mimi Zohar wrote:
On Fri, 2012-10-26 at 03:39 +0100, Matthew Garrett wrote:
and it must be impossible for anything other than
/sbin/kexec to make the kexec system call.
Permission
On Fri, 2012-10-26 at 13:06 -0400, Vivek Goyal wrote:
On Fri, Oct 26, 2012 at 03:39:16AM +0100, Matthew Garrett wrote:
On Thu, Oct 25, 2012 at 09:15:58PM -0400, Mimi Zohar wrote:
On a running system, the package installer, after verifying the package
integrity, would install each file
On Thu, 2012-10-18 at 10:43 +0800, Fengguang Wu wrote:
Mimi,
Although this occurs in the xen tree head, it's more likely related to
ima_inode_post_setattr().
Under certain circumstances ima_inode_post_setattr() removes
'security.ima' without checking that it exists. shmem doesn't seem to
On Fri, 2013-04-05 at 09:50 -0400, Vivek Goyal wrote:
On Tue, Feb 05, 2013 at 11:55:09PM +0200, Kasatkin, Dmitry wrote:
[..]
Also I am assuming that from signed initramfs, keys will be loaded in
appropriate keyrings and then keyring will be locked so that any
tools from unsigned
On Tue, 2013-04-09 at 10:38 -0400, Vivek Goyal wrote:
On Mon, Apr 08, 2013 at 04:17:56PM -0400, Josh Boyer wrote:
[..]
I was thinking about this point that keys can be loaded from signed
initramfs. But how is it better than embedding the keys in kernel the
way we do for module
On Wed, 2013-04-10 at 15:42 -0400, Vivek Goyal wrote:
On Tue, Apr 09, 2013 at 11:07:10PM -0400, Mimi Zohar wrote:
[..]
The module keyring is a special case. Loading these keys from the
kernel and, presumably, locking the keyring is probably fine. In the
case of IMA, however, files
On Thu, 2013-04-11 at 10:52 -0400, Vivek Goyal wrote:
On Wed, Apr 10, 2013 at 05:05:22PM -0400, Mimi Zohar wrote:
On Wed, 2013-04-10 at 15:42 -0400, Vivek Goyal wrote:
On Tue, Apr 09, 2013 at 11:07:10PM -0400, Mimi Zohar wrote:
[..]
The module keyring is a special case. Loading
On Thu, 2013-04-11 at 17:13 -0400, Vivek Goyal wrote:
On Thu, Apr 11, 2013 at 09:42:54PM +0300, Dmitry Kasatkin wrote:
[..]
What other initialization user space need to do where we can't trust
root (even in secureboot mode).
IOW, if keys can be embedded in kernel (or read from UEFI
On Fri, 2013-03-15 at 16:35 -0400, Vivek Goyal wrote:
Do elf executable signature verification (if one is present). If signature
is present, it should be valid. Validly signed files are given a capability
CAP_SIGNED.
If file is unsigned, it can execute but it does not get the capability
On Tue, 2013-03-19 at 15:47 +1100, James Morris wrote:
On Mon, 18 Mar 2013, Matthew Garrett wrote:
This patch introduces CAP_COMPROMISE_KERNEL.
I'd like to see this named CAP_MODIFY_KERNEL, which is more accurate and
less emotive. Otherwise I think core kernel developers will be
On Wed, 2013-03-20 at 11:21 -0400, Vivek Goyal wrote:
On Tue, Mar 19, 2013 at 10:39:01AM -0400, Mimi Zohar wrote:
[..]
+#ifdef CONFIG_BINFMT_ELF_SIG
+ /* If executable is digitally signed. Lock down in memory */
+ /* Get file signature, if any */
+ retval = ima_file_signature_alloc
On Wed, 2013-03-20 at 16:49 +, Matthew Garrett wrote:
On Wed, 2013-03-20 at 12:41 -0400, Mimi Zohar wrote:
Matthrew, perhaps you could clarify whether this will be tied to MAC
security. Based on the kexec thread, I'm under the impression that is
not the intention, or at least
On Wed, 2013-03-20 at 18:12 +, Matthew Garrett wrote:
On Wed, 2013-03-20 at 14:01 -0400, Mimi Zohar wrote:
Sorry, I'm not sure to which work you're referring. If you're referring
to Dmitry's initramfs with digital signature protection patches, then
we're speaking about enforcing
On Wed, 2013-03-20 at 20:37 +, Matthew Garrett wrote:
On Wed, 2013-03-20 at 15:16 -0400, Mimi Zohar wrote:
On Wed, 2013-03-20 at 18:12 +, Matthew Garrett wrote:
Well, in the absence of hardcoded in-kernel policy, there needs to be
some mechanism for ensuring the integrity
On Fri, 2013-03-01 at 16:33 -0500, Vivek Goyal wrote:
On Fri, Mar 01, 2013 at 02:39:13PM -0500, Mimi Zohar wrote:
[..]
I was suggesting that a builtin appraise rule chain and everything else
on the other chain. Userspace could replace the other chain with
whatever they wanted, including
On Thu, 2013-02-14 at 14:55 -0500, Vivek Goyal wrote:
Digital signature verification happens using integrity_digsig_verify().
Curently we set integrity to FAIL for all error codes except -EOPNOTSUPP.
This sounds out of line.
- If appropriate kernel code is not compiled in to verify signature
On Mon, 2013-03-04 at 10:29 -0500, Vivek Goyal wrote:
[...]
Hi Mimi,
If we decide to merge flags, then practically we modified the
ima_appraise_tcb policy. ima_appraise_tcb policy expects to cache the
results and we will not do that. And this conflict just grows if we
are forced to add
On Mon, 2013-03-04 at 14:15 -0500, Vivek Goyal wrote:
I am just brain storming and throwing some ideas and see if soemthing
makes sense. I agree that allowing one policy only makes it very
restrictive (while simplifying the implementation).
Agreed, lets try again ... I think we are actually
On Mon, 2013-03-04 at 11:20 -0500, Vivek Goyal wrote:
On Mon, Mar 04, 2013 at 08:48:36AM -0500, Mimi Zohar wrote:
On Thu, 2013-02-14 at 14:55 -0500, Vivek Goyal wrote:
Digital signature verification happens using integrity_digsig_verify().
Curently we set integrity to FAIL for all error
On Tue, 2013-03-05 at 08:30 -0500, Mimi Zohar wrote:
Digital signature verification happens using integrity_digsig_verify().
If a digital signature is present in security.ima, then any error, which
happens during signature verification, should lead to status
INTEGRITY_FAIL. In the future we
On Tue, 2013-03-05 at 10:18 -0500, Vivek Goyal wrote:
Can we do following. (Just modifying your proposal little bit).
- Implement a new policy say ima_mem_exec. This policy can vary based on
config options. This will be the default policy.
Just to clarify, the default is the existing
On Tue, 2013-03-05 at 16:53 -0500, Vivek Goyal wrote:
On Tue, Mar 05, 2013 at 03:40:18PM -0500, Mimi Zohar wrote:
On Tue, 2013-03-05 at 10:18 -0500, Vivek Goyal wrote:
Can we do following. (Just modifying your proposal little bit).
- Implement a new policy say ima_mem_exec
On Wed, 2013-03-06 at 10:54 -0500, Vivek Goyal wrote:
On Tue, Mar 05, 2013 at 03:40:18PM -0500, Mimi Zohar wrote:
[..]
The fact that we are able to replace ima_mem_exec policy using command
line, binary loader will need a way to query IMA to find what's the
current policy
On Wed, 2013-03-06 at 18:55 -0500, Vivek Goyal wrote:
On Wed, Mar 06, 2013 at 10:42:31AM -0500, Mimi Zohar wrote:
[..]
Mimi, so you like this idea better than the other idea of keeping two
policy chains and running more restrictive rule while resolving flag
conflicts between two
On Wed, 2013-03-06 at 18:38 -0500, Vivek Goyal wrote:
On Wed, Mar 06, 2013 at 05:48:01PM -0500, Mimi Zohar wrote:
On Wed, 2013-03-06 at 10:54 -0500, Vivek Goyal wrote:
[...]
- Because policy can be replaced easily, some of the functionality
will automatically be disabled. (because
On Thu, 2013-03-07 at 09:36 -0500, Vivek Goyal wrote:
On Wed, Mar 06, 2013 at 08:39:08PM -0500, Mimi Zohar wrote:
On Wed, 2013-03-06 at 18:55 -0500, Vivek Goyal wrote:
On Wed, Mar 06, 2013 at 10:42:31AM -0500, Mimi Zohar wrote:
Adding an IMA call to directly appraise the integrity
On Mon, 2012-12-03 at 11:56 +1030, Rusty Russell wrote:
Mimi Zohar zo...@linux.vnet.ibm.com writes:
Using the same name for ephemeral and persistent keys results
in deleting the persistent key. This patch renames the normal
kbuild asymmetric key pair name to default_signing_key
On Tue, 2012-12-04 at 18:14 +, David Howells wrote:
Rusty Russell ru...@rustcorp.com.au wrote:
+PHONY += _newmodpubkey_
+_newmodpubkey_:
+ @rm -f $(MODSECKEY) $(MODPUBKEY)
+ $(Q)$(MAKE) -W kernel/modsign_pubkey.o
Please don't do this. It can muck up the dependencies as make
On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
appraise_type=imasig_optional will allow appraisal to pass even if no
signatures are present on the file. If signatures are present, then it
has to be valid digital signature, otherwise appraisal will fail.
This can allow to selectively
On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
vfs_getxattr_alloc() returns -EOPNOTSUPP if filesystem does not have
security label enabled. In that case there is no point in continuing
further and try to fix hashes (if ima_appraise=fix was specified) as
that will fail too. Return early
On Tue, 2013-02-12 at 09:26 -0500, Vivek Goyal wrote:
On Mon, Feb 11, 2013 at 05:10:14PM -0500, Mimi Zohar wrote:
On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
appraise_type=imasig_optional will allow appraisal to pass even if no
signatures are present on the file. If signatures
On Tue, 2013-02-12 at 13:52 -0500, Vivek Goyal wrote:
On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
[..]
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -124,19 +124,26 @@ int ima_appraise_measurement(int func, struct
On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal vgo...@redhat.com wrote:
@@ -158,7 +165,8 @@ int ima_appraise_measurement(int func, struct
integrity_iint_cache *iint,
}
switch (xattr_value-type) {
case
On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal vgo...@redhat.com wrote:
@@ -158,7 +165,8 @@ int
On Wed, 2013-02-13 at 15:36 +0200, Kasatkin, Dmitry wrote:
It should not be the only line in the policy.
Can you share full policy?
On Wed, Feb 13, 2013 at 3:29 PM, Vivek Goyal vgo...@redhat.com wrote:
appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional
Different use cases
On Wed, 2013-02-13 at 09:38 -0500, Vivek Goyal wrote:
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
It should not be the only line in the policy.
Can you share full policy?
I verified by putting some printk.
If anyone is interested in posting a patch to display the
=397449cd-687d-4145-8698-7fed4a3e0363).
For partitions not being appraised, it might be a good idea to mount
file systems with the 'noexec' option to prevent executing non-verified
binaries.
Signed-off-by: Dmitry Kasatkin dmitry.kasat...@intel.com
Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
compatability.
Changelog v1:
- squash hmac version setting
Changelog v0:
- add missing Kconfig depends (Mimi)
Signed-off-by: Dmitry Kasatkin dmitry.kasat...@intel.com
Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
---
security/integrity/evm/Kconfig | 13 +
security/integrity/evm/evm.h
On Tue, 2013-02-05 at 13:03 -0500, Peter Jones wrote:
It's not clear to me why we need this encapsulation - wouldn't it be
better to add another [pointer,size] pair to the bootloader protocol
with a structure like:
https://lkml.org/lkml/2013/1/30/68 was in response to the assumption
that the
From: Dmitry Kasatkin dmitry.kasat...@intel.com
Old crypto hash API internally uses shash API.
Using shash API directly is more efficient.
Signed-off-by: Dmitry Kasatkin dmitry.kasat...@intel.com
Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
---
security/integrity/ima/ima.h| 1
From: Dmitry Kasatkin dmitry.kasat...@intel.com
Rename hash calculation functions to reflect meaning
and change argument order in conventional way.
Signed-off-by: Dmitry Kasatkin dmitry.kasat...@intel.com
Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
---
security/integrity/ima/ima.h
On Tue, 2013-01-29 at 13:20 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
Hi Mimi,
By policy you mean ima rules here? So I can either enable default rules
(tcb default rules for appraisal and measurement) by using kernel command
line
On Tue, 2013-01-29 at 15:10 -0500, Vivek Goyal wrote:
On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
[..]
Hi Mimi,
Can we add another field to ima_rule_entry, say .enforcement to control
the behavior of .action. Possible values of .enforcement could be, say
On Wed, 2013-01-30 at 06:32 +, Matthew Garrett wrote:
On Tue, Jan 29, 2013 at 11:58:53AM -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
The assumption has always been that the initramfs would be measured, for
trusted boot, and appraised
On Wed, 2013-01-30 at 16:53 -0500, Vivek Goyal wrote:
On Tue, Jan 22, 2013 at 05:07:31PM -0500, Mimi Zohar wrote:
[..]
/* iint cache flags */
+#define IMA_ACTION_FLAGS 0xff00
#define IMA_DIGSIG 0x0100
+#define IMA_DIGSIG_REQUIRED0x0200
Hi Mimi
On Thu, 2013-01-31 at 13:41 -0500, Vivek Goyal wrote:
On Wed, Jan 30, 2013 at 05:42:39PM -0500, Mimi Zohar wrote:
On Wed, 2013-01-30 at 16:53 -0500, Vivek Goyal wrote:
On Tue, Jan 22, 2013 at 05:07:31PM -0500, Mimi Zohar wrote:
[..]
/* iint cache flags */
+#define
On Tue, 2013-02-26 at 16:20 +, Al Viro wrote:
On Wed, Feb 20, 2013 at 04:27:51PM -0500, Mimi Zohar wrote:
Hi Al,
Are there any negative repercussions to temporarily removing the
o_direct flag in order to calculate the file hash?
thanks,
Mimi
-
Files are measured
On Tue, 2013-02-26 at 20:34 +, Al Viro wrote:
On Tue, Feb 26, 2013 at 02:32:08PM -0500, Mimi Zohar wrote:
Before anything gets access to the file, the file needs to be measured,
appraised, and/or audited, based on policy. If IMA-appraisal is enabled
and the file is in policy, we
On Wed, 2013-02-27 at 14:26 +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 27, 2013 at 11:21 AM, Kasatkin, Dmitry
dmitry.kasat...@intel.com wrote:
On Wed, Feb 27, 2013 at 1:22 AM, Mimi Zohar zo...@linux.vnet.ibm.com
wrote:
On Tue, 2013-02-26 at 20:34 +, Al Viro wrote:
On Tue, Feb 26
On Wed, 2013-02-27 at 19:00 +, Al Viro wrote:
On Wed, Feb 27, 2013 at 11:21:15AM +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 27, 2013 at 1:22 AM, Mimi Zohar zo...@linux.vnet.ibm.com
wrote:
On Tue, 2013-02-26 at 20:34 +, Al Viro wrote:
On Tue, Feb 26, 2013 at 02:32:08PM -0500
On Thu, 2013-02-28 at 10:13 -0500, Vivek Goyal wrote:
Hi Mimi,
I am running into issues w.r.t IMA policy management and user space
signing. So thought of dropping a mail and gather some ideas.
Currently IMA seems to able to one policy only which does not contain
conflicting rules. We have
1 - 100 of 2982 matches
Mail list logo