Menu
▾
▴
Re: [Linux-ima-user] measure the specific file even no operations on it.
|
From: Mimi Z. <zo...@li...> - 2012-09-16 01:38:37
|
On Fri, 2012-09-14 at 13:17 +0800, Jason Chow wrote: > Hi all, > > The selinux extend to the measument list could be written like > 'measure func=FILE_CHECK mask=MAY_READ obj_type=my_app_t'. Where could > I find document about the selinux extension ? For example, how many > mask could there be? If I want to measuremnt some files after system > on even no operations(no read or exec ops ) on these files, how to > write the policy file ? The IMA measurement/appraisal policy is limited at the moment to three hooks, file_check, file_mmap, and bprm_check. The default policy measures/appraises files opened for read at file_check and defers the measurement/appraisal of files opened for exec to file_mmap/bprm_check. A custom policy based on SELinux labels could be used to constrain the default policy even further (eg. don't measure log files or VMs). A hook for measuring/appraising kernel modules has been proposed. Other than these hooks, there is no mechanism for measuring/appraising files. Previous work defined a mechanism for registering other types of templates, which was not limited to these hooks. For more information on LIM/templates, whjch was not upstreamed, refer to https://lkml.org/lkml/2008/10/13/344. thanks, Mimi |