linux-ima-user — Q&A for users of IMA

[Linux-ima-user] IMA appraisal does not allow changing mode of files

[Sven V. <sve...@si...>]

Hi all,

When I try to change the mode on a file in /run, I get a nice error:

#v+
chmod: changing permissions of 'utmp': Operation not permitted
#v-

When running with ima_appraise=fix evm=fix, the problem doesn't show up.
Now, I can *read* the files just fine: the files are on a tmpfs, which in
the policy is said to be not measured and not appraised:

#v+
# TMPFS_MAGIC = 0x01021994
dont_measure fsmagic=0x01021994
dont_appraise fsmagic=0x01021994
#v-

The file only holds an EVM hash:

#v+
test run # getfattr -m . -d utmp
# file: utmp
security.evm=0sAt2bx0ccn9rglgC6yz4RtbkQ0czJ
security.selinux="system_u:object_r:initrc_var_run_t"
#v-

It is just that changing the mode (chmod 0644 utmp) or even SELinux context
fails:

#v+
test run # chcon -t var_run_t utmp
chcon: failed to change context of 'utmp' to 'system_u:object_r:var_run_t':
Operation not permitted
#v-

I do not get anything in dmesg, audit.log or kern.log. Someone any idea?

Wkr,
	Sven Vermeulen

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Mimi Z. <zo...@li...>]

On Sun, 2013-01-13 at 15:28 +0100, Sven Vermeulen wrote:
> On Mon, Jan 07, 2013 at 06:59:47AM -0500, Mimi Zohar wrote:
> > > I'm now distributing it to my other test VMs so I can have the entire test
> > > infrastructure run with IMA/EVM (enforcing).
> > 
> > Cool!  Are you using digital signatures or only hashes?
> 
> Mainly only hashes, although I have a few files set with digital
> signatures for testing purposes (to see if this "immutable" feature keeps
> working). So yes, even digital signatures still work with the patch applied
> (and continue to work even after reloading the LSM (SELinux) policy).
> 
> However, I think the signature-based approach requires reactive validation
> (i.e. check if the files still contain a signature instead of just a hash)
> to make sure the files have not been tampered with (similar to the remote
> attestation). Local appraisal has only limited success in this area.
> 
> A malicious user can manipulate the file system offline, regenerate the
> security.ima and security.evm attributes (but providing a hash instead of a
> digital signature as he doesn't have the private key) and have it boot up
> again. Because the integrity subsystem verifies that the attributes are
> correct (it sees hashes, so validates those) the system continues allowing
> access to these files.

Agreed, we need to differentiate between files requiring signatures
versus hashes, but not because 'security.evm' can be regenerated
offline.

> Only reactive checking (like checking the attributes of all files that
> *ought* to be immutable) works to ensure that the files have not been
> tampered with.

linux-integrity/#next-ima-appraise-status contains a couple of patches
queued to be upstreamed that address this issue.

ima: differentiate appraise status only for hook specific rules
ima: per hook cache integrity appraisal status
ima: increase iint flag size
ima: added policy support for 'security.ima' type

thanks,

Mimi

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Sven V. <sve...@si...>]

On Mon, Jan 07, 2013 at 06:59:47AM -0500, Mimi Zohar wrote:
> > I'm now distributing it to my other test VMs so I can have the entire test
> > infrastructure run with IMA/EVM (enforcing).
> 
> Cool!  Are you using digital signatures or only hashes?

Mainly only hashes, although I have a few files set with digital
signatures for testing purposes (to see if this "immutable" feature keeps
working). So yes, even digital signatures still work with the patch applied
(and continue to work even after reloading the LSM (SELinux) policy).

However, I think the signature-based approach requires reactive validation
(i.e. check if the files still contain a signature instead of just a hash)
to make sure the files have not been tampered with (similar to the remote
attestation). Local appraisal has only limited success in this area.

A malicious user can manipulate the file system offline, regenerate the
security.ima and security.evm attributes (but providing a hash instead of a
digital signature as he doesn't have the private key) and have it boot up
again. Because the integrity subsystem verifies that the attributes are
correct (it sees hashes, so validates those) the system continues allowing
access to these files.

Only reactive checking (like checking the attributes of all files that
*ought* to be immutable) works to ensure that the files have not been
tampered with.

Wkr,
	Sven Vermeulen

Re: [Linux-ima-user] buffer overflow fix

[Kasatkin, D. <dmi...@in...>]

On Sun, Jan 6, 2013 at 11:40 PM, Amadeusz Sławiński <am...@as...> wrote:
> Hello,
>
> I noticed that 'evmctl ima_hash file' will fail on big files and after a bit of
> investigation found that code assumes that file size will fit in int
> which may not always be the case.
>
> # evmctl ima_hash /swapfile
> *** buffer overflow detected ***: evmctl - terminated
> evmctl: buffer overflow attack in function <unknown> - terminated
> Report to http://bugs.gentoo.org/
> zsh: killed     evmctl ima_hash /swapfile
> # ls -lh /swapfile
> -rw-r--r--. 1 root root 3.0G Sep 13 14:07 /swapfile
> # ls -l /swapfile
> -rw-r--r--. 1 root root 3221225472 Sep 13 14:07 /swapfile
>
> After applying attached patch changing get_fdsize it works without problem.
>
> There is also similar code in get_filesize, but I havent't changed it, it is
> used later to pass filesize to malloc() in file2bin and I'm not sure if it
> will work with such big files.
>
> Amadeusz
>

Hello Amadeusz,

Thanks for fix!

- Dmitry

> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122412
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Mimi Z. <zo...@li...>]

On Fri, 2013-01-04 at 19:20 +0100, Sven Vermeulen wrote:
> On Fri, Jan 04, 2013 at 07:54:19AM -0500, Mimi Zohar wrote:
> > > Indeed, without loading the custom policy it seems to work fine.
> > 
> > To summarize, the base policy works properly as there are not any LSM
> > specific rules.  An IMA policy containing LSM rules works properly,
> > until the LSM policy is reloaded, as shown in your setsebool example.
> > Please let me know if the patch below fixes it.
> 
> Yes it does fixes it. I'm able to rebuild policies, toggle booleans, etc.
> Also, the SELinux error messages on "selinux_audit_rule_match: stale rule"
> have also almost fully disappeared (just get a single one right after
> updating the policy) and I get my AVC denials just as I expected to (wasn't
> the case before).

Great!  Unfortunately, updating the LSM policy is LSM specific.  The
only generic method for detecting an LSM policy change is when an error
occurs.  The first "stale rule" is the trigger to update the IMA LSM
based rules.

> I'm now distributing it to my other test VMs so I can have the entire test
> infrastructure run with IMA/EVM (enforcing).

Cool!  Are you using digital signatures or only hashes?

Mimi

[Linux-ima-user] buffer overflow fix

[Amadeusz S. <am...@as...>]

Hello,

I noticed that 'evmctl ima_hash file' will fail on big files and after a bit of
investigation found that code assumes that file size will fit in int
which may not always be the case.

# evmctl ima_hash /swapfile
*** buffer overflow detected ***: evmctl - terminated
evmctl: buffer overflow attack in function <unknown> - terminated
Report to http://bugs.gentoo.org/
zsh: killed     evmctl ima_hash /swapfile
# ls -lh /swapfile 
-rw-r--r--. 1 root root 3.0G Sep 13 14:07 /swapfile
# ls -l /swapfile 
-rw-r--r--. 1 root root 3221225472 Sep 13 14:07 /swapfile

After applying attached patch changing get_fdsize it works without problem.

There is also similar code in get_filesize, but I havent't changed it, it is
used later to pass filesize to malloc() in file2bin and I'm not sure if it
will work with such big files.

Amadeusz

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Sven V. <sve...@si...>]

On Fri, Jan 04, 2013 at 07:54:19AM -0500, Mimi Zohar wrote:
> > Indeed, without loading the custom policy it seems to work fine.
> 
> To summarize, the base policy works properly as there are not any LSM
> specific rules.  An IMA policy containing LSM rules works properly,
> until the LSM policy is reloaded, as shown in your setsebool example.
> Please let me know if the patch below fixes it.

Yes it does fixes it. I'm able to rebuild policies, toggle booleans, etc.
Also, the SELinux error messages on "selinux_audit_rule_match: stale rule"
have also almost fully disappeared (just get a single one right after
updating the policy) and I get my AVC denials just as I expected to (wasn't
the case before).

I'm now distributing it to my other test VMs so I can have the entire test
infrastructure run with IMA/EVM (enforcing).

Thanks!

Wkr,
	Sven Vermeulen

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Mimi Z. <zo...@li...>]

On Tue, 2013-01-01 at 00:33 +0100, Sven Vermeulen wrote:
> On Mon, Dec 31, 2012 at 05:34:38PM -0500, Mimi Zohar wrote:
> > Your IMA policy defines LSM specific rules.  Before loading your IMA
> > policy,  try this again.  'security.ima' should be written out.  At
> > least on my system it is.
> 
> Indeed, without loading the custom policy it seems to work fine.

To summarize, the base policy works properly as there are not any LSM
specific rules.  An IMA policy containing LSM rules works properly,
until the LSM policy is reloaded, as shown in your setsebool example.
Please let me know if the patch below fixes it.

thanks,

Mimi

[RFC][PATCH] ima: re-initialize IMA policy LSM info

Although the IMA policy does not change, the LSM policy can be
reloaded, leaving the IMA LSM based rules referring to the old,
stale LSM policy.  This patch updates the IMA LSM based rules
to reflect the reloaded LSM policy.

Reported-by: Sven Vermeulen <sve...@si...>
Signed-off-by: Mimi Zohar <zo...@li...>
---
 security/integrity/ima/ima_policy.c | 68 +++++++++++++++++++++++++++++++------
 1 file changed, 58 insertions(+), 10 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 479fca9..7940f36 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -49,6 +49,7 @@ struct ima_rule_entry {
 	kuid_t fowner;
 	struct {
 		void *rule;	/* LSM file metadata specific */
+		void *args_p;	/* audit value */
 		int type;	/* audit type */
 	} lsm[MAX_LSM_RULES];
 };
@@ -119,6 +120,35 @@ static int __init default_appraise_policy_setup(char *str)
 }
 __setup("ima_appraise_tcb", default_appraise_policy_setup);
 
+/* 
+ * Although the IMA policy does not change, the LSM policy can be
+ * reloaded, leaving the IMA LSM based rules referring to the old,
+ * stale LSM policy.
+ *
+ * Update the IMA LSM based rules to reflect the reloaded LSM policy. 
+ * We assume the rules still exist; and BUG_ON() if they don't.
+ */
+static void ima_lsm_update_rules(void)
+{
+	struct ima_rule_entry *entry, *tmp;
+	int result;
+	int i;
+
+	mutex_lock(&ima_rules_mutex);
+	list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
+		for (i = 0; i < MAX_LSM_RULES; i++) {
+			if (!entry->lsm[i].rule)
+				continue;
+			result = security_filter_rule_init(entry->lsm[i].type,
+							   Audit_equal,
+							   entry->lsm[i].args_p,
+							   &entry->lsm[i].rule);
+			BUG_ON(!entry->lsm[i].rule);
+		}
+	}
+	mutex_unlock(&ima_rules_mutex);
+}
+
 /**
  * ima_match_rules - determine whether an inode matches the measure rule.
  * @rule: a pointer to a rule
@@ -149,10 +179,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 	for (i = 0; i < MAX_LSM_RULES; i++) {
 		int rc = 0;
 		u32 osid, sid;
+		int retried = 0;
 
 		if (!rule->lsm[i].rule)
 			continue;
-
+retry:
 		switch (i) {
 		case LSM_OBJ_USER:
 		case LSM_OBJ_ROLE:
@@ -176,6 +207,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 		default:
 			break;
 		}
+		if ((rc < 0) && (!retried)) {
+			retried = 1;
+			ima_lsm_update_rules();
+			goto retry;
+		} 
 		if (!rc)
 			return false;
 	}
@@ -306,19 +342,27 @@ static match_table_t policy_tokens = {
 };
 
 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
-			     char *args, int lsm_rule, int audit_type)
+			     substring_t *args, int lsm_rule, int audit_type)
 {
 	int result;
 
 	if (entry->lsm[lsm_rule].rule)
 		return -EINVAL;
 
+	entry->lsm[lsm_rule].args_p = match_strdup(args);
+	if (!entry->lsm[lsm_rule].args_p)
+		return -ENOMEM;
+
 	entry->lsm[lsm_rule].type = audit_type;
 	result = security_filter_rule_init(entry->lsm[lsm_rule].type,
-					   Audit_equal, args,
+					   Audit_equal,
+					   entry->lsm[lsm_rule].args_p,
 					   &entry->lsm[lsm_rule].rule);
-	if (!entry->lsm[lsm_rule].rule)
+	if (!entry->lsm[lsm_rule].rule) {
+		kfree(entry->lsm[lsm_rule].args_p);
 		return -EINVAL;
+	}
+
 	return result;
 }
 
@@ -481,37 +525,37 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 			break;
 		case Opt_obj_user:
 			ima_log_string(ab, "obj_user", args[0].from);
-			result = ima_lsm_rule_init(entry, args[0].from,
+			result = ima_lsm_rule_init(entry, args,
 						   LSM_OBJ_USER,
 						   AUDIT_OBJ_USER);
 			break;
 		case Opt_obj_role:
 			ima_log_string(ab, "obj_role", args[0].from);
-			result = ima_lsm_rule_init(entry, args[0].from,
+			result = ima_lsm_rule_init(entry, args,
 						   LSM_OBJ_ROLE,
 						   AUDIT_OBJ_ROLE);
 			break;
 		case Opt_obj_type:
 			ima_log_string(ab, "obj_type", args[0].from);
-			result = ima_lsm_rule_init(entry, args[0].from,
+			result = ima_lsm_rule_init(entry, args,
 						   LSM_OBJ_TYPE,
 						   AUDIT_OBJ_TYPE);
 			break;
 		case Opt_subj_user:
 			ima_log_string(ab, "subj_user", args[0].from);
-			result = ima_lsm_rule_init(entry, args[0].from,
+			result = ima_lsm_rule_init(entry, args,
 						   LSM_SUBJ_USER,
 						   AUDIT_SUBJ_USER);
 			break;
 		case Opt_subj_role:
 			ima_log_string(ab, "subj_role", args[0].from);
-			result = ima_lsm_rule_init(entry, args[0].from,
+			result = ima_lsm_rule_init(entry, args,
 						   LSM_SUBJ_ROLE,
 						   AUDIT_SUBJ_ROLE);
 			break;
 		case Opt_subj_type:
 			ima_log_string(ab, "subj_type", args[0].from);
-			result = ima_lsm_rule_init(entry, args[0].from,
+			result = ima_lsm_rule_init(entry, args,
 						   LSM_SUBJ_TYPE,
 						   AUDIT_SUBJ_TYPE);
 			break;
@@ -590,9 +634,13 @@ ssize_t ima_parse_add_rule(char *rule)
 void ima_delete_rules(void)
 {
 	struct ima_rule_entry *entry, *tmp;
+	int i;
 
 	mutex_lock(&ima_rules_mutex);
 	list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
+		for (i = 0; i < MAX_LSM_RULES; i++)
+			kfree(entry->lsm[i].args_p);
+
 		list_del(&entry->list);
 		kfree(entry);
 	}
-- 
1.8.1.rc3

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Sven V. <sve...@si...>]

On Mon, Dec 31, 2012 at 05:34:38PM -0500, Mimi Zohar wrote:
> Your IMA policy defines LSM specific rules.  Before loading your IMA
> policy,  try this again.  'security.ima' should be written out.  At
> least on my system it is.

Indeed, without loading the custom policy it seems to work fine.

Thanks!

Wkr,
	Sven Vermeulen

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Sven V. <sve...@si...>]

On Mon, Dec 31, 2012 at 05:34:38PM -0500, Mimi Zohar wrote:
> Your IMA policy defines LSM specific rules.  Before loading your IMA
> policy,  try this again.  'security.ima' should be written out.  At
> least on my system it is.

Ah, I thought it was ok to add those in, as per the Linux-IMA wiki [1].

I'll try without custom policy first and see how that goes. I added in the
various logging types because they were cluttering up the audit logs
(measurements that failed because of multiple opens or so).

Thanks for the quick follow-up!

Wkr,
	Sven Vermeulen

[1] https://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page#Defining_an_LSM_specific_policy

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Mimi Z. <zo...@li...>]

On Mon, 2012-12-31 at 21:28 +0100, Sven Vermeulen wrote:
> On Sun, Dec 30, 2012 at 06:58:02PM -0500, Mimi Zohar wrote:
> > To summarize, basically evmctl labels the filesystem properly, but
> > opening existing files or creating new ones, in fix mode, doesn't result
> > in proper labeling of files.  Try experimenting with root owned files.
> 
> Aha, thanks, you put me in the good direction here.
> 
> I have another example here, namely the SELinux binary policy file and other
> SELinux related files. For some strange reason, it doesn't get measured at
> run-time, but it does get appraised at boot time. So when I rebuild my
> SELinux policy, I cannot use it anymore after a reboot.


> #v+
> test policy # getfattr -m . -d policy.27 
> # file: policy.27
> security.evm=0sAud8wjn2az5ZxEvssgVggxc7YXTR
> security.ima=0sAXgvCp+B5kwkMiKCyhq/nH5v8RmM
> security.selinux="root:object_r:policy_config_t"
> 
> test policy # stat policy.27 
>   File: 'policy.27'
>   Size: 396067          Blocks: 784        IO Block: 4096   regular file
> Device: fb02h/64258d    Inode: 394414      Links: 1
> Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
> Context: root:object_r:policy_config_t
> Access: 2012-12-31 21:05:48.421000000 +0100
> Modify: 2012-12-31 21:05:48.426000000 +0100
> Change: 2012-12-31 21:05:48.427000000 +0100
>  Birth: -
> #v-
> 
> All is good here, so let's update the policy by setting a boolean
> 
> #v+
> test policy # setsebool -P allow_ptrace on
> test policy # stat policy.27 
>   File: 'policy.27'
>   Size: 396067          Blocks: 784        IO Block: 4096   regular file
> Device: fb02h/64258d    Inode: 394411      Links: 1

Notice that the inode has changed.  This isn't the same file.

> Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
> Context: root:object_r:policy_config_t
> Access: 2012-12-31 21:06:46.095000000 +0100
> Modify: 2012-12-31 21:06:46.099000000 +0100
> Change: 2012-12-31 21:06:46.099000000 +0100
>  Birth: -
> test policy # getfattr -m . -d policy.27 
> # file: policy.27
> security.evm=0sAsDOnzpOajlpHXmTwtnJ+TRW3GEd
> security.selinux="root:object_r:policy_config_t"
> #v-
> So the policy file has changed, and I lost my IMA hash.

Changing the file should automatically update the 'security.ima' hash
value, assuming it is in policy.

> I looked at the IMA policy, and it has the following:
> 
> #v+
> # SELINUX_MAGIC = 0xf97cff8c
> dont_measure fsmagic=0xf97cff8c
> dont_appraise fsmagic=0xf97cff8c
> #v-
> 
> Sure enough, the magic of the policy file tells that it is a SELinux file.

fsmagic defines the filesystem type.  policy.27 is definitely not on the
selinux fs.  (Further explanation below.)

> #v+
> test policy # hexdump -C -n 4 policy.27 
> 00000000  8c ff 7c f9                                       |..|.|
> 00000004
> #v-
> 
> But when I reboot in enforcing mode:
> 
> #v+
> [    1.451568] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input2
> [    1.507756] Key type trusted registered
> [    1.558805] Key type encrypted registered
> [    1.601568] IMA: No TPM chip found, activating TPM-bypass!
> [    1.605922] ALSA device list:
> [    1.608111]   No soundcards found.
> [    1.612545] Freeing unused kernel memory: 744k freed
> [    4.864195] type=1800 audit(1356985118.864:2): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op="appraise_data" cause="missing-hash" comm="init" name="/etc/selinux/strict/policy/policy.27" dev="dm-2" ino=394411 res=0
> #v-

Right, this is the new inode that wasn't labeled.

> I first thought that my own policy was different from the default one (since
> I load my IMA policy after the SELinux policy is loaded), 

The 'ima_tcb' policy does not contain any LSM rules.  If it did, it
would have to be loaded after the LSM was enabled.

> but in the Linux
> kernel's security/integrity/ima/ima_policy.c I notice the following two
> entries:
> 
> #v+
> static struct ima_rule_entry default_rules[] = {
> ...
>         {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
> 
> static struct ima_rule_entry default_appraise_rules[] = {
> ...
>         {.action = DONT_APPRAISE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
> #v-

IMA defines a number of securityfs based runtime files (eg. policy,
ascii_runtime_measurements, runtime_measurements_count,
binary_runtime_measurements).   Perhaps for historical reasons, SELinux
doesn't use securityfs, but defines its own runtime filesystem.  As
these aren't real files, they're not measured/appraised.

> And now that I'm testing more, I notice that even my default context files
> have this weird non-measured problem:
> 
> #v+
> test files # getfattr -m . -d file_contexts
> # file: file_contexts
> security.evm=0sAvuVjeRJJGraNaldIrBmOdQ8SSgN
> security.ima=0sAQcbZOYamvOUVurJWQC/V/ll8T3j
> security.selinux="system_u:object_r:file_context_t"
> 
> test files # setsebool -P allow_ptrace off
> test files # getfattr -m . -d file_contexts
> # file: file_contexts
> security.evm=0sAjzJy9PAYHuE/tnA8joO2DuI0vI4
> security.selinux="root:object_r:file_context_t"
> #v-
> 
> And these definitely don't have a magic for SELinux, and they are
> root-owned.
> 

Your IMA policy defines LSM specific rules.  Before loading your IMA
policy,  try this again.  'security.ima' should be written out.  At
least on my system it is.

Mimi

> Note that I also have another problem with SELinux and IMA combined [1]
> which I first thought was less related to this, but it is too much of a
> coincidence: the moment I rebuild/reload my policy, I get
> "selinux_audit_rule_match: stale rule" and no further information on SELinux
> AVCs.
> 
> [1] http://marc.info/?l=selinux&m=135686169925172&w=2
> 
> Wkr,
> 	Sven Vermeulen

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Sven V. <sve...@si...>]

On Sun, Dec 30, 2012 at 06:58:02PM -0500, Mimi Zohar wrote:
> To summarize, basically evmctl labels the filesystem properly, but
> opening existing files or creating new ones, in fix mode, doesn't result
> in proper labeling of files.  Try experimenting with root owned files.

Aha, thanks, you put me in the good direction here.

I have another example here, namely the SELinux binary policy file and other
SELinux related files. For some strange reason, it doesn't get measured at
run-time, but it does get appraised at boot time. So when I rebuild my
SELinux policy, I cannot use it anymore after a reboot.

#v+
test policy # getfattr -m . -d policy.27 
# file: policy.27
security.evm=0sAud8wjn2az5ZxEvssgVggxc7YXTR
security.ima=0sAXgvCp+B5kwkMiKCyhq/nH5v8RmM
security.selinux="root:object_r:policy_config_t"

test policy # stat policy.27 
  File: 'policy.27'
  Size: 396067          Blocks: 784        IO Block: 4096   regular file
Device: fb02h/64258d    Inode: 394414      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: root:object_r:policy_config_t
Access: 2012-12-31 21:05:48.421000000 +0100
Modify: 2012-12-31 21:05:48.426000000 +0100
Change: 2012-12-31 21:05:48.427000000 +0100
 Birth: -
#v-

All is good here, so let's update the policy by setting a boolean

#v+
test policy # setsebool -P allow_ptrace on
test policy # stat policy.27 
  File: 'policy.27'
  Size: 396067          Blocks: 784        IO Block: 4096   regular file
Device: fb02h/64258d    Inode: 394411      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: root:object_r:policy_config_t
Access: 2012-12-31 21:06:46.095000000 +0100
Modify: 2012-12-31 21:06:46.099000000 +0100
Change: 2012-12-31 21:06:46.099000000 +0100
 Birth: -
test policy # getfattr -m . -d policy.27 
# file: policy.27
security.evm=0sAsDOnzpOajlpHXmTwtnJ+TRW3GEd
security.selinux="root:object_r:policy_config_t"
#v-

So the policy file has changed, and I lost my IMA hash.

I looked at the IMA policy, and it has the following:

#v+
# SELINUX_MAGIC = 0xf97cff8c
dont_measure fsmagic=0xf97cff8c
dont_appraise fsmagic=0xf97cff8c
#v-

Sure enough, the magic of the policy file tells that it is a SELinux file.

#v+
test policy # hexdump -C -n 4 policy.27 
00000000  8c ff 7c f9                                       |..|.|
00000004
#v-

But when I reboot in enforcing mode:

#v+
[    1.451568] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input2
[    1.507756] Key type trusted registered
[    1.558805] Key type encrypted registered
[    1.601568] IMA: No TPM chip found, activating TPM-bypass!
[    1.605922] ALSA device list:
[    1.608111]   No soundcards found.
[    1.612545] Freeing unused kernel memory: 744k freed
[    4.864195] type=1800 audit(1356985118.864:2): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op="appraise_data" cause="missing-hash" comm="init" name="/etc/selinux/strict/policy/policy.27" dev="dm-2" ino=394411 res=0
#v-

I first thought that my own policy was different from the default one (since
I load my IMA policy after the SELinux policy is loaded), but in the Linux
kernel's security/integrity/ima/ima_policy.c I notice the following two
entries:

#v+
static struct ima_rule_entry default_rules[] = {
...
        {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},

static struct ima_rule_entry default_appraise_rules[] = {
...
        {.action = DONT_APPRAISE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
#v-

And now that I'm testing more, I notice that even my default context files
have this weird non-measured problem:

#v+
test files # getfattr -m . -d file_contexts
# file: file_contexts
security.evm=0sAvuVjeRJJGraNaldIrBmOdQ8SSgN
security.ima=0sAQcbZOYamvOUVurJWQC/V/ll8T3j
security.selinux="system_u:object_r:file_context_t"

test files # setsebool -P allow_ptrace off
test files # getfattr -m . -d file_contexts
# file: file_contexts
security.evm=0sAjzJy9PAYHuE/tnA8joO2DuI0vI4
security.selinux="root:object_r:file_context_t"
#v-

And these definitely don't have a magic for SELinux, and they are
root-owned.

Note that I also have another problem with SELinux and IMA combined [1]
which I first thought was less related to this, but it is too much of a
coincidence: the moment I rebuild/reload my policy, I get
"selinux_audit_rule_match: stale rule" and no further information on SELinux
AVCs.

[1] http://marc.info/?l=selinux&m=135686169925172&w=2

Wkr,
	Sven Vermeulen

Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

[Mimi Z. <zo...@li...>]

On Sun, 2012-12-30 at 16:01 +0100, Sven Vermeulen wrote:
> Hi all,
> 
> I'm testing out the Linux-IMA/EVM implementation on a virtual guest (Linux
> kernel 3.7 but patched with grSecurity on top of it). When running with
> "ima_appraise=fix ima_appraise_tcb evm=fix ima_tcb" as kernel parameters, I
> notice that the measurements are not always properly stored as extended
> attributes. When running in enforcing, I also notice that something similar
> occurs with newly created files - not always, but it doesn't take long
> before I need to reboot my system back in "fix" mode so that important
> files, such as the SELinux policy file, are re-measured & stored again.

Although the default measurement (ima_tcb) and appraise
(ima_appraise_tcb) policies overlap, they're not the same.

> As an example, in "fix" mode:
> 
> #v+
> ~# getfattr -m . -d zlib-1.2.7.tar.gz
> # file: zlib-1.2.7.tar.gz
> security.selinux="system_u:object_r:portage_ebuild_t"
> 
> ~# head -n 1 zlib-1.2.7.tar.gz
> [... some random cruft ...]
> 
> ~# grep zlib /sys/kernel/security/ima/ascii_runtime_measurements 
> 10 c1673676dd06fbd9a180d3ae1e4aacf858fd493c ima f9b57333bb7243bd6d4f3d9ffa705c1bef5404db /usr/lib64/python2.7/lib-dynload/zlib.so
> 10 0c1cecb9f8ddd173d981d189dff0ebe2d5d9bc8d ima 4aa358a95d1e5774603e6fa149c926a80df43559 /usr/portage/distfiles/zlib-1.2.7.tar.gz

The 'ima_tcb' policy measures files opened by root, which is what you're
seeing here.

> ~# getfattr -m . -d zlib-1.2.7.tar.gz
> # file: zlib-1.2.7.tar.gz
> security.selinux="system_u:object_r:portage_ebuild_t"
> #v-

The 'ima_appraise_tcb' policy appraises files owned by root.  What is
the uid/gid of zlib-1.2.7.tar.gz?

> When I use evmctl ima_hash against the file, it does get the proper
> attribute set. At [1] you can find the custom policy I use (mainly the
> default one but don't measure various log filetypes as provided through
> SELinux types), but since the files do get measured (they come up in the
> ascii_runtime_measurements pseudofile) I don't think that is the problem.

To summarize, basically evmctl labels the filesystem properly, but
opening existing files or creating new ones, in fix mode, doesn't result
in proper labeling of files.  Try experimenting with root owned files.

> Also, is there a way (or is the project working on it) to switch from
> enforcing to fix mode (similar as the permissive/enforcing in SELinux) for
> development purposes? I'd be nice to just be able to so something like:
> 
> #v+
> ~# ima_enforce 0
> ~# evmctl ima_hash /etc/selinux/strict/policy/policy.27
> ~# ima_enforce 1
> #v-
> 
> and then just continue working with it, without having to resort to
> rebooting all over again. Preferably (just like with SELinux) a kernel
> parameter that only allows this for development purposes, not for a
> production system (as that would thwart the advantage of IMA anyhow).
> 
> Wkr,
> 	Sven Vermeulen

Sorry, changing from enforcing to fix mode on a running system is not
currently implemented.

Mimi

[Linux-ima-user] File measurements not always stored or security.ima disappearing

[Sven V. <sve...@si...>]

Hi all,

I'm testing out the Linux-IMA/EVM implementation on a virtual guest (Linux
kernel 3.7 but patched with grSecurity on top of it). When running with
"ima_appraise=fix ima_appraise_tcb evm=fix ima_tcb" as kernel parameters, I
notice that the measurements are not always properly stored as extended
attributes. When running in enforcing, I also notice that something similar
occurs with newly created files - not always, but it doesn't take long
before I need to reboot my system back in "fix" mode so that important
files, such as the SELinux policy file, are re-measured & stored again.

As an example, in "fix" mode:

#v+
~# getfattr -m . -d zlib-1.2.7.tar.gz
# file: zlib-1.2.7.tar.gz
security.selinux="system_u:object_r:portage_ebuild_t"

~# head -n 1 zlib-1.2.7.tar.gz
[... some random cruft ...]

~# grep zlib /sys/kernel/security/ima/ascii_runtime_measurements 
10 c1673676dd06fbd9a180d3ae1e4aacf858fd493c ima f9b57333bb7243bd6d4f3d9ffa705c1bef5404db /usr/lib64/python2.7/lib-dynload/zlib.so
10 0c1cecb9f8ddd173d981d189dff0ebe2d5d9bc8d ima 4aa358a95d1e5774603e6fa149c926a80df43559 /usr/portage/distfiles/zlib-1.2.7.tar.gz

~# getfattr -m . -d zlib-1.2.7.tar.gz
# file: zlib-1.2.7.tar.gz
security.selinux="system_u:object_r:portage_ebuild_t"
#v-

When I use evmctl ima_hash against the file, it does get the proper
attribute set. At [1] you can find the custom policy I use (mainly the
default one but don't measure various log filetypes as provided through
SELinux types), but since the files do get measured (they come up in the
ascii_runtime_measurements pseudofile) I don't think that is the problem.

Also, is there a way (or is the project working on it) to switch from
enforcing to fix mode (similar as the permissive/enforcing in SELinux) for
development purposes? I'd be nice to just be able to so something like:

#v+
~# ima_enforce 0
~# evmctl ima_hash /etc/selinux/strict/policy/policy.27
~# ima_enforce 1
#v-

and then just continue working with it, without having to resort to
rebooting all over again. Preferably (just like with SELinux) a kernel
parameter that only allows this for development purposes, not for a
production system (as that would thwart the advantage of IMA anyhow).

Wkr,
	Sven Vermeulen

[1] http://www.gentoo.org/proj/en/hardened/integrity/docs/ima-guide.xml#doc_chap4_pre4 

Re: [Linux-ima-user] measure the specific file even no operations on it.

[Jason C. <jas...@gm...>]

Hi Mimi,

Sorry for late reply. Thank you for your suggestion. It's very useful. :-)

Regards,
Jason

2012/9/16 Mimi Zohar <zo...@li...>

> On Fri, 2012-09-14 at 13:17 +0800, Jason Chow wrote:
> > Hi all,
> >
> > The selinux extend to the measument list could be written like
> > 'measure func=FILE_CHECK mask=MAY_READ obj_type=my_app_t'. Where could
> > I find document about the selinux extension ? For example, how many
> > mask could there be?  If I want to measuremnt some files after system
> > on even no operations(no read or exec ops ) on these files, how to
> > write the policy file ?
>
> The IMA measurement/appraisal policy is limited at the moment to three
> hooks, file_check, file_mmap, and bprm_check. The default policy
> measures/appraises files opened for read at file_check and defers the
> measurement/appraisal of files opened for exec to file_mmap/bprm_check.
> A custom policy based on SELinux labels could be used to constrain the
> default policy even further (eg. don't measure log files or VMs).
>
> A hook for measuring/appraising kernel modules has been proposed.  Other
> than these hooks, there is no mechanism for measuring/appraising files.
> Previous work defined a mechanism for registering other types of
> templates, which was not limited to these hooks.  For more information
> on LIM/templates, whjch was not upstreamed, refer to
> https://lkml.org/lkml/2008/10/13/344.
>
> thanks,
>
> Mimi
>
>
>

Re: [Linux-ima-user] measure the specific file even no operations on it.

[Mimi Z. <zo...@li...>]

On Fri, 2012-09-14 at 13:17 +0800, Jason Chow wrote:
> Hi all,
>  
> The selinux extend to the measument list could be written like
> 'measure func=FILE_CHECK mask=MAY_READ obj_type=my_app_t'. Where could
> I find document about the selinux extension ? For example, how many
> mask could there be?  If I want to measuremnt some files after system
> on even no operations(no read or exec ops ) on these files, how to
> write the policy file ?

The IMA measurement/appraisal policy is limited at the moment to three
hooks, file_check, file_mmap, and bprm_check. The default policy
measures/appraises files opened for read at file_check and defers the
measurement/appraisal of files opened for exec to file_mmap/bprm_check.
A custom policy based on SELinux labels could be used to constrain the
default policy even further (eg. don't measure log files or VMs).  

A hook for measuring/appraising kernel modules has been proposed.  Other
than these hooks, there is no mechanism for measuring/appraising files.
Previous work defined a mechanism for registering other types of
templates, which was not limited to these hooks.  For more information
on LIM/templates, whjch was not upstreamed, refer to
https://lkml.org/lkml/2008/10/13/344. 

thanks,

Mimi

[Linux-ima-user] measure the specific file even no operations on it.

[Jason C. <jas...@gm...>]

Hi all,

The selinux extend to the measument list could be written like 'measure
func=FILE_CHECK mask=MAY_READ obj_type=my_app_t'. Where could I find
document about the selinux extension ? For example, how many mask could
there be?  If I want to measuremnt some files after system on even no
operations(no read or exec ops ) on these files, how to write the policy
file ?

Thanks for your reply!

Thanks and regards,
Jason

Re: [Linux-ima-user] How to configure measurement list

[Andreas S. <and...@st...>]

Hi Jason,

yes, from my experience you can set the IMA policy only once
and then the policy file disappears. This is probably a security
feature preventing malware or a mischievous superuser from
intentionally weakening the IMA policy at a later stage.

I set the policy at the earliest possible stage using a
dracut initramfs.

Best regards

Andreas

On 13.09.2012 10:24, Jason Chow wrote:
> Hi Andreas,
>  
> After I rebooted the machine, the 'permission denied' error disappeard.
> Howerver, once I cat a policy into '<security fs>/ima/policy', the
> policy file disapperd, is that a normal situation? And if I want to
> change the policy into another one, what can I do except for rebooting
> the machine.
>  
> Thanks and regards,
> Jason 
> 
> 2012/9/13 Jason Chow <jas...@gm...
> <mailto:jas...@gm...>>
> 
>     Hi Andreas,
>      
>     When I use cat to input my policy into '<security fs>/ima/policy'
>     with root account, 'permission denied' error came out to reject the
>     modification.
>     Do you have any idea about this?
>     Thanks for your help.
>      
>     Jason 
> 
>     2012/9/11 Andreas Steffen <and...@st...
>     <mailto:and...@st...>>
> 
>         Hi Jason,
> 
>         you find information on how to define a custom-defined IMA policy
>         under this link:
> 
>         http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page#Defining_an_LSM_specific_policy
> 
>         The custom policy is applied during the early boot process using
>         a dracut initramfs.
> 
>         If you want to specify specific files or directories to be measured
>         then you must tag your file system using SE Linux. I tried this
>         approach to measure all Linux kernel modules. Have a look at the
>         custom IMA policy shown in Fig. 6 of my Linux IMA remote
>         attestation paper
> 
>         http://www.strongswan.org/lss2012.pdf
> 
>         Best regards
> 
>         Andreas
> 
>         On 10.09.2012 16:17, Jason Chow wrote:
>         > Hi all,
>         >
>         > I'm a newbie in IMA, and I'm very interested in it. Could you
>         help me to
>         > get familiar with it. Thanks a lot.
>         >
>         > As I know, new kernel has already put IMA in mainline. And I have
>         > already enabled it. But I'm confused with how to configure the
>         measument
>         > list to make it do a measument for files as I wished. However
>         I cannot
>         > find any documents about how to do this configuration. Any
>         help from you
>         > will be highly appreciated.
>         >
>         > Thanks a lot.
>         >
>         > Jason
======================================================================
Andreas Steffen                         and...@st...
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Re: [Linux-ima-user] How to configure measurement list

[Jason C. <jas...@gm...>]

Hi Andreas,

After I rebooted the machine, the 'permission denied' error disappeard.
Howerver, once I cat a policy into '<security fs>/ima/policy', the policy
file disapperd, is that a normal situation? And if I want to change the
policy into another one, what can I do except for rebooting the machine.

Thanks and regards,
Jason

2012/9/13 Jason Chow <jas...@gm...>

> Hi Andreas,
>
> When I use cat to input my policy into '<security fs>/ima/policy' with
> root account, 'permission denied' error came out to reject the modification.
> Do you have any idea about this?
> Thanks for your help.
>
> Jason
>
> 2012/9/11 Andreas Steffen <and...@st...>
>
>> Hi Jason,
>>
>> you find information on how to define a custom-defined IMA policy
>> under this link:
>>
>>
>> http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page#Defining_an_LSM_specific_policy
>>
>> The custom policy is applied during the early boot process using
>> a dracut initramfs.
>>
>> If you want to specify specific files or directories to be measured
>> then you must tag your file system using SE Linux. I tried this
>> approach to measure all Linux kernel modules. Have a look at the
>> custom IMA policy shown in Fig. 6 of my Linux IMA remote attestation paper
>>
>> http://www.strongswan.org/lss2012.pdf
>>
>> Best regards
>>
>> Andreas
>>
>> On 10.09.2012 16:17, Jason Chow wrote:
>> > Hi all,
>> >
>> > I'm a newbie in IMA, and I'm very interested in it. Could you help me to
>> > get familiar with it. Thanks a lot.
>> >
>> > As I know, new kernel has already put IMA in mainline. And I have
>> > already enabled it. But I'm confused with how to configure the measument
>> > list to make it do a measument for files as I wished. However I cannot
>> > find any documents about how to do this configuration. Any help from you
>> > will be highly appreciated.
>> >
>> > Thanks a lot.
>> >
>> > Jason
>>
>> ======================================================================
>> Andreas Steffen                         and...@st...
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>

Re: [Linux-ima-user] How to configure measurement list

[Jason C. <jas...@gm...>]

Hi Andreas,

When I use cat to input my policy into '<security fs>/ima/policy' with root
account, 'permission denied' error came out to reject the modification.
Do you have any idea about this?
Thanks for your help.

Jason

2012/9/11 Andreas Steffen <and...@st...>

> Hi Jason,
>
> you find information on how to define a custom-defined IMA policy
> under this link:
>
>
> http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page#Defining_an_LSM_specific_policy
>
> The custom policy is applied during the early boot process using
> a dracut initramfs.
>
> If you want to specify specific files or directories to be measured
> then you must tag your file system using SE Linux. I tried this
> approach to measure all Linux kernel modules. Have a look at the
> custom IMA policy shown in Fig. 6 of my Linux IMA remote attestation paper
>
> http://www.strongswan.org/lss2012.pdf
>
> Best regards
>
> Andreas
>
> On 10.09.2012 16:17, Jason Chow wrote:
> > Hi all,
> >
> > I'm a newbie in IMA, and I'm very interested in it. Could you help me to
> > get familiar with it. Thanks a lot.
> >
> > As I know, new kernel has already put IMA in mainline. And I have
> > already enabled it. But I'm confused with how to configure the measument
> > list to make it do a measument for files as I wished. However I cannot
> > find any documents about how to do this configuration. Any help from you
> > will be highly appreciated.
> >
> > Thanks a lot.
> >
> > Jason
>
> ======================================================================
> Andreas Steffen                         and...@st...
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>

Re: [Linux-ima-user] How to configure measurement list

[jason z. <jas...@gm...>]

Hi Mimi,

Thanks for your help. But that inforamtion is too gerneral, while I want to
know how to specify a specific file for IMA. However both documentation and
webpage do not help. Fortunately, I've got a way from Andreas using SElinux
to tag those files. I'm working on it. Could you give any other suggestion
for me? Anyway, thanks a lot.

Regards,
Jason
2012/9/11 Mimi Zohar <zo...@li...>

> On Mon, 2012-09-10 at 22:17 +0800, Jason Chow wrote:
> > Hi all,
> >
> > I'm a newbie in IMA, and I'm very interested in it. Could you help me
> > to get familiar with it. Thanks a lot.
> >
> > As I know, new kernel has already put IMA in mainline. And I have
> > already enabled it. But I'm confused with how to configure the
> > measument list to make it do a measument for files as I wished.
> > However I cannot find any documents about how to do this
> > configuration. Any help from you will be highly appreciated.
>
> Hi Jason,
>
> General information about the linux-integrity subsystem, is available
> from the wiki:
> http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page.
> For additional information about the IMA policy, please refer to
> Documentation/ABI/testing/ima_policy.
>
> Mimi
>
>
>
>

Re: [Linux-ima-user] How to configure measurement list

[jason z. <jas...@gm...>]

Hi Andreas,

Thank you for your kind help. It did a great favor to me. :-)
2012/9/11 Andreas Steffen <and...@st...>

> Hi Jason,
>
> you find information on how to define a custom-defined IMA policy
> under this link:
>
>
> http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page#Defining_an_LSM_specific_policy
>
> The custom policy is applied during the early boot process using
> a dracut initramfs.
>
> If you want to specify specific files or directories to be measured
> then you must tag your file system using SE Linux. I tried this
> approach to measure all Linux kernel modules. Have a look at the
> custom IMA policy shown in Fig. 6 of my Linux IMA remote attestation paper
>
> http://www.strongswan.org/lss2012.pdf
>
> Best regards
>
> Andreas
>
> On 10.09.2012 16:17, Jason Chow wrote:
> > Hi all,
> >
> > I'm a newbie in IMA, and I'm very interested in it. Could you help me to
> > get familiar with it. Thanks a lot.
> >
> > As I know, new kernel has already put IMA in mainline. And I have
> > already enabled it. But I'm confused with how to configure the measument
> > list to make it do a measument for files as I wished. However I cannot
> > find any documents about how to do this configuration. Any help from you
> > will be highly appreciated.
> >
> > Thanks a lot.
> >
> > Jason
>
> ======================================================================
> Andreas Steffen                         and...@st...
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>

Re: [Linux-ima-user] How to configure measurement list

[Andreas S. <and...@st...>]

Hi Jason,

you find information on how to define a custom-defined IMA policy
under this link:

http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page#Defining_an_LSM_specific_policy

The custom policy is applied during the early boot process using
a dracut initramfs.

If you want to specify specific files or directories to be measured
then you must tag your file system using SE Linux. I tried this
approach to measure all Linux kernel modules. Have a look at the
custom IMA policy shown in Fig. 6 of my Linux IMA remote attestation paper

http://www.strongswan.org/lss2012.pdf

Best regards

Andreas

On 10.09.2012 16:17, Jason Chow wrote:
> Hi all,
>  
> I'm a newbie in IMA, and I'm very interested in it. Could you help me to
> get familiar with it. Thanks a lot.
>  
> As I know, new kernel has already put IMA in mainline. And I have
> already enabled it. But I'm confused with how to configure the measument
> list to make it do a measument for files as I wished. However I cannot
> find any documents about how to do this configuration. Any help from you
> will be highly appreciated.
>  
> Thanks a lot.
>  
> Jason

======================================================================
Andreas Steffen                         and...@st...
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Re: [Linux-ima-user] How to configure measurement list

[Peter M. <pm...@go...>]

On Mon, Sep 10, 2012 at 7:17 AM, Jason Chow <jas...@gm...> wrote:
> Hi all,
>
> I'm a newbie in IMA, and I'm very interested in it. Could you help me to get
> familiar with it. Thanks a lot.
>
> As I know, new kernel has already put IMA in mainline. And I have already
> enabled it. But I'm confused with how to configure the measument list to
> make it do a measument for files as I wished. However I cannot find any
> documents about how to do this configuration. Any help from you will be
> highly appreciated.

start here:

http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page

Cheers,
peter


-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: [Linux-ima-user] How to configure measurement list

[Mimi Z. <zo...@li...>]

On Mon, 2012-09-10 at 22:17 +0800, Jason Chow wrote:
> Hi all,
>  
> I'm a newbie in IMA, and I'm very interested in it. Could you help me
> to get familiar with it. Thanks a lot.
>  
> As I know, new kernel has already put IMA in mainline. And I have
> already enabled it. But I'm confused with how to configure the
> measument list to make it do a measument for files as I wished.
> However I cannot find any documents about how to do this
> configuration. Any help from you will be highly appreciated.

Hi Jason,

General information about the linux-integrity subsystem, is available
from the wiki:
http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page. For additional information about the IMA policy, please refer to Documentation/ABI/testing/ima_policy.

Mimi