linux-ima-user — Q&A for users of IMA

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Mon, 20.02.12 20:06, Roberto Sassu (rob...@po...) wrote:

> >We moved SELinux loading out of the initrd into systemd, in order to
> >support fully featured initrd-less boots. I don't think we should reopen
> >this problem set by having IMA in the initrd. I believe IMA should be
> >treated pretty much exactly like SELinux here: the policy should be
> >loaded from PID1 and it needs to be a compile time option, and it needs
> >a kernel cmdline option to disable it (i.e. like selinux=0).
> >
> 
> If the SELinux module in dracut is to be considered definitively broken
> probably also the IMA module should be removed, because it will not be
> possible to load policies with LSM rules. But i don't know how this
> feature can be supported by distributions without Systemd installed.

Well, if the rumours I keep hearing are true Ubuntu might join the
systemd camp too after their LTS release. Maybe the supporting
non-systemd systems issues solves itself by that for you?

> Regarding the kernel option, actually there is no a specific parameter
> to disable IMA. However, it can be introduced in the patches proposed
> by Mimi Zohar about the 'ima-appraisal' feature. This can allow to
> disable IMA or to put it in permissive/enforce mode as it happens for
> example in SELinux.

Whether there is a kernel option to enable/disable IMA will not stop
these patches from getting into systemd. But I am quite sure they will
stop IMA from getting any wider coverage in the mainstream distributions
(if you care for that).

Oh, and one more thing: it matters to me that this doesn't break my
build. So it needs to allow me booting when enabled in configure, but
without any IMA policy around.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Roberto S. <rob...@po...>]

On 02/20/2012 07:52 PM, Lennart Poettering wrote:
> On Mon, 20.02.12 19:23, Roberto Sassu (rob...@po...) wrote:
>
>>>> +               log_error("mmap() failed (%s), freezing", strerror(errno));
>>>> +               result = -errno;
>>>> +               goto out;
>>>> +       }
>>>> +
>>>> +       while(written<   policy_size) {
>>>> +               ssize_t len = write(imafd, policy + written,
>>>> +                                   policy_size - written);
>>>> +               if (len<= 0) {
>>>> +                         log_error("Failed to load the IMA custom policy "
>>>> +                                   "file %s (%s), ignoring.", IMA_POLICY_PATH,
>>>> +                                   strerror(errno));
>>>> +                         goto out_mmap;
>>>> +               }
>>>> +               written += len;
>>>> +       }
>>>
>>> It might make sense to use loop_write() here instead, which does more or
>>> less this loop, and is defined in util.c anyway.
>>
>> I briefly looked at the code and i'm not sure to use it, because i want
>> to add some extra information in the output message (for example the
>> line number of the rule in the policy file that was rejected by IMA).
>
> Line number? The policy is text? Your code above doesn't print any line
> numbers?
>

Sorry, this is not done in the current patch. But i think it may be
useful for a user to know what rule is being rejected by IMA.
Yes, the policy is text.

Thanks

Roberto Sassu


> Lennart
>

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Roberto S. <rob...@po...>]

On 02/20/2012 06:24 PM, Lennart Poettering wrote:
> On Thu, 16.02.12 19:50, Gustavo Sverzut Barbieri (bar...@pr...) wrote:
>
>>>> Then I wonder: why not make an ima-init binary that:
>>>>    - does ima_setup()
>>>>    - exec systemd || upstart || ...
>>>>
>>>> this way you only have to audit this very small file and not systemd
>>>> itself, it's very early and so on.
>>>>
>>>
>>> This does not work because SELinux is initialized inside Systemd and IMA
>>> requires it for parsing LSM rules in the policy.
>>
>> initramfs may do it as well, no? then systemd will inherit it.
>
> We moved SELinux loading out of the initrd into systemd, in order to
> support fully featured initrd-less boots. I don't think we should reopen
> this problem set by having IMA in the initrd. I believe IMA should be
> treated pretty much exactly like SELinux here: the policy should be
> loaded from PID1 and it needs to be a compile time option, and it needs
> a kernel cmdline option to disable it (i.e. like selinux=0).
>

If the SELinux module in dracut is to be considered definitively broken
probably also the IMA module should be removed, because it will not be
possible to load policies with LSM rules. But i don't know how this
feature can be supported by distributions without Systemd installed.

Regarding the kernel option, actually there is no a specific parameter
to disable IMA. However, it can be introduced in the patches proposed
by Mimi Zohar about the 'ima-appraisal' feature. This can allow to
disable IMA or to put it in permissive/enforce mode as it happens for
example in SELinux.

Thanks

Roberto Sassu


> Lennart
>

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Mon, 20.02.12 19:36, Roberto Sassu (rob...@po...) wrote:

> 
> On 02/20/2012 06:14 PM, Lennart Poettering wrote:
> >On Wed, 15.02.12 18:12, Roberto Sassu (rob...@po...) wrote:
> >
> >>The location of the policy file is not IMA dependent. I chose that
> >>because it seemed to me the right place where to put this file.
> >>So, i can easily modify the location to be distribution independent
> >>but i don't known which directory would be appropriate.
> >>Any proposal?
> >
> >/etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates.
> >
> 
> I prefer the first one, because the second pathname raises the problem
> of creating a new subdirectory. However, i think we should keep the
> word 'policy' in the file name to avoid users believe that is a
> configuration file.

Creating a subdir is a problem? How so?

You should use a subdir /etc/ima/ if there's the chance that sooner or
later you might have to add another config file of some sorts to IMA. If
you are really sure that never happens, then you don't need the dir, but
if you are in doubt, better use one. (But this is the policy file,
right? so i figure you might end up with adding a conf file with options
like selinux' enforcing/permissive later on, so i think you should
better add a dir)

(Oh, and in contrast to what i suggested, if this is the policy file,
and not a configuration file, the .conf suffix of course makes little sense)

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Mon, 20.02.12 19:23, Roberto Sassu (rob...@po...) wrote:

> >>+               log_error("mmap() failed (%s), freezing", strerror(errno));
> >>+               result = -errno;
> >>+               goto out;
> >>+       }
> >>+
> >>+       while(written<  policy_size) {
> >>+               ssize_t len = write(imafd, policy + written,
> >>+                                   policy_size - written);
> >>+               if (len<= 0) {
> >>+                         log_error("Failed to load the IMA custom policy "
> >>+                                   "file %s (%s), ignoring.", IMA_POLICY_PATH,
> >>+                                   strerror(errno));
> >>+                         goto out_mmap;
> >>+               }
> >>+               written += len;
> >>+       }
> >
> >It might make sense to use loop_write() here instead, which does more or
> >less this loop, and is defined in util.c anyway.
> 
> I briefly looked at the code and i'm not sure to use it, because i want
> to add some extra information in the output message (for example the
> line number of the rule in the policy file that was rejected by IMA).

Line number? The policy is text? Your code above doesn't print any line
numbers?

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Roberto S. <rob...@po...>]

On 02/20/2012 06:14 PM, Lennart Poettering wrote:
> On Wed, 15.02.12 18:12, Roberto Sassu (rob...@po...) wrote:
>
>> The location of the policy file is not IMA dependent. I chose that
>> because it seemed to me the right place where to put this file.
>> So, i can easily modify the location to be distribution independent
>> but i don't known which directory would be appropriate.
>> Any proposal?
>
> /etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates.
>

I prefer the first one, because the second pathname raises the problem
of creating a new subdirectory. However, i think we should keep the
word 'policy' in the file name to avoid users believe that is a
configuration file.

Once we define the new pathname, i will also create a patch for
the IMA module in dracut to make sure things work also for
distributions that do not have Systemd installed.

Thanks

Roberto Sassu


> Lennart
>

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Roberto S. <rob...@po...>]

On 02/20/2012 06:12 PM, Lennart Poettering wrote:
> On Wed, 15.02.12 14:23, Roberto Sassu (rob...@po...) wrote:
>
>> The new function ima_setup() loads an IMA custom policy from a file in the
>> default location '/etc/sysconfig/ima-policy', if present, and writes it to
>> the path 'ima/policy' in the security filesystem. This function is executed
>> at early stage in order to avoid that some file operations are not measured
>> by IMA and it is placed after the initialization of SELinux because IMA
>> needs the latter (or other security modules) to understand LSM-specific
>> rules.
>
> This must be a configure option. I am pretty sure most embedded people
> don't require this feature.
>
> The kernel side of things is merged upstream I presume? (We generally
> only want to support stuff in our code that is merged upstream itself)
>

Yes. IMA was in the mainline kernel since 2.6.30.


>> +#define IMA_SECFS_DIR SECURITYFS_MNTPOINT "/ima"
>> +#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
>
> Please use proper strings for this. (see my earlier mail)
>

Ok, i will replace the former with the hard-coded pathname.


>> +#define IMA_POLICY_PATH "/etc/sysconfig/ima-policy"
>
> This is a Fedoraism. Please introduce a proper configuration file for this.
>

Ok, i will answer about this in the next your email.


>> +
>> +int ima_setup(void) {
>> +       struct stat st;
>> +       ssize_t policy_size = 0, written = 0;
>> +       char *policy;
>> +       int policyfd = -1, imafd = -1;
>> +       int result = 0;
>> +
>> +#ifndef HAVE_SELINUX
>> +       /* Mount the securityfs filesystem */
>> +       mount_setup_early();
>> +#endif
>> +
>> +       if (stat(IMA_POLICY_PATH,&st) == -1)
>> +               return 0;
>
> We tend to do "<  0" instead of "== -1" checks for syscall
> failures. Might be good to use the same here, but this is not necessary
> for getting this merged.
>

Ok.


>> +
>> +       policyfd = open(IMA_POLICY_PATH, O_RDONLY);
>
> We tend to add O_CLOEXEC to all fds we open, just for being
> paranoid. Please do so here, too, to avoid surprise and avoid exceptions
> when people grep for all open() invocations looking for O_CLOEXEC.
>

No problem, i will do the change.


>> +       if (policyfd<  0) {
>> +               log_error("Failed to open the IMA custom policy file %s (%s), "
>> +                         "ignoring.", IMA_POLICY_PATH, strerror(errno));
>> +               return 0;
>> +       }
>
> Consider using %m instead of %s and strerror(errno).
>
>> +       imafd = open(IMA_SECFS_POLICY, O_WRONLY);
>
> Also O_CLOEXEC please.
>
>> +       if (imafd<  0) {
>> +               log_error("Failed to open the IMA kernel interface %s (%s), "
>> +                         "ignoring.", IMA_SECFS_POLICY, strerror(errno));
>> +               goto out;
>> +       }
>> +
>> +       policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
>> +       if (policy == NULL) {
>
> mmap() returns MAP_FAILED (i.e. (void) -1) on failure, not NULL. This
> check needs to be fixed.
>

Ok, i will replace NULL with MAP_FAILED.


>> +               log_error("mmap() failed (%s), freezing", strerror(errno));
>> +               result = -errno;
>> +               goto out;
>> +       }
>> +
>> +       while(written<  policy_size) {
>> +               ssize_t len = write(imafd, policy + written,
>> +                                   policy_size - written);
>> +               if (len<= 0) {
>> +                         log_error("Failed to load the IMA custom policy "
>> +                                   "file %s (%s), ignoring.", IMA_POLICY_PATH,
>> +                                   strerror(errno));
>> +                         goto out_mmap;
>> +               }
>> +               written += len;
>> +       }
>
> It might make sense to use loop_write() here instead, which does more or
> less this loop, and is defined in util.c anyway.
>

I briefly looked at the code and i'm not sure to use it, because i want
to add some extra information in the output message (for example the
line number of the rule in the policy file that was rejected by IMA).

Thanks

Roberto Sassu


> Otherwise looks good.
>
> Lennart
>

Re: [Linux-ima-user] [systemd-devel] [PATCH 1/2] systemd: mount the securityfs filesystem at early stage

[Roberto S. <rob...@po...>]

On 02/20/2012 06:04 PM, Lennart Poettering wrote:
> On Wed, 15.02.12 14:23, Roberto Sassu (rob...@po...) wrote:
>
>> The mount of the securityfs filesystem is now performed in the main systemd
>> executable as it is used by IMA to provide the interface for loading custom
>> policies. The unit file 'units/sys-kernel-security.mount' has been removed
>> because it is not longer necessary.
>>
>> +#define SECURITYFS_MNTPOINT "/sys/kernel/security"
>> +
>
> Just use the proper path name here. Not sure why we would want a macro
> for this, as things are simpler with literal strings for this, the path
> is unlikely to change and we generaly don't do this for any of the other
> paths.
>

Hi Lennart

thanks for the review! I'm starting to address issues now.

I created the above macro to avoid that changing this path breaks
other code, but probably yes, its value is unlikely to change.
I will remove it.


Roberto Sassu


> Lennart
>

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Thu, 16.02.12 19:50, Gustavo Sverzut Barbieri (bar...@pr...) wrote:

> >> Then I wonder: why not make an ima-init binary that:
> >>   - does ima_setup()
> >>   - exec systemd || upstart || ...
> >>
> >> this way you only have to audit this very small file and not systemd
> >> itself, it's very early and so on.
> >>
> >
> > This does not work because SELinux is initialized inside Systemd and IMA
> > requires it for parsing LSM rules in the policy.
> 
> initramfs may do it as well, no? then systemd will inherit it.

We moved SELinux loading out of the initrd into systemd, in order to
support fully featured initrd-less boots. I don't think we should reopen
this problem set by having IMA in the initrd. I believe IMA should be
treated pretty much exactly like SELinux here: the policy should be
loaded from PID1 and it needs to be a compile time option, and it needs
a kernel cmdline option to disable it (i.e. like selinux=0).

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Thu, 16.02.12 12:30, Gustavo Sverzut Barbieri (bar...@pr...) wrote:

> > Since the policy loading can be implemented in different ways depending
> > on the init system (systemd, upstart, ...), an user must identify the
> > components to be measured for each case. Instead, if the IMA policy is
> > loaded in the main Systemd executable, only this file must be measured
> > by the boot loader.
> 
> Then I wonder: why not make an ima-init binary that:
>   - does ima_setup()
>   - exec systemd || upstart || ...
> 
> this way you only have to audit this very small file and not systemd
> itself, it's very early and so on.

We worked really hard on being able to load the SELinux policy without
any unnecessary (re-)execs. I don't think we should reopen that problem
by loading IMA from a pre-init tool. Also, the management of such a
thing would seriously suck (i.e. you'd probably need something like
update-alternatives, and that sucks), especially since we now already
taught the initrd to spawn /usr/lib/systemd/systemd directly, instead of
/sbin/init.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Thu, 16.02.12 15:56, Michael Cassaniti (m.c...@gm...) wrote:

> >>>>Also, I certainly have no such things in my system and see no point in
> >>>>calling ima_setup() on it. Or even compiling the source file in such
> >>>>case.
> >>>>
> >>>Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
> >>>statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA
> >>>definition to yes. Instead, the code can be enabled for example by
> >>>adding the parameter '--enable_ima' in the configure script.
> >>okay.
> >>
> I'm under the impression this function belongs to a userspace tool.
> If not then I just don't see a good reason that this patch is
> required. I do understand that the IMA policy should be loaded as
> early as possible, but I believe that early userspace scripts should
> be doing that work. If it is a userspace function, then whatever
> makes you happy, other distro's will roll their own.

in systemd, bootup is fully parallelized. I much prefer invoking the IMA
policy at the right time, before we spawn off the first processes,
instead of having to express that with dependencies towards all units.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Wed, 15.02.12 18:12, Roberto Sassu (rob...@po...) wrote:

> The location of the policy file is not IMA dependent. I chose that
> because it seemed to me the right place where to put this file.
> So, i can easily modify the location to be distribution independent
> but i don't known which directory would be appropriate.
> Any proposal?

/etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Wed, 15.02.12 17:26, Roberto Sassu (rob...@po...) wrote:

> 
> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
> >On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<rob...@po...>  wrote:
> >>The new function ima_setup() loads an IMA custom policy from a file in the
> >>default location '/etc/sysconfig/ima-policy', if present, and writes it to
> >
> >isn't /etc/sysconfig too specific to Fedora?
> >
> 
> Hi Gustavo
> 
> probably yes. I see the code in 'src/locale-setup.c' where the
> the configuration directory depends on the target distribution.
> I can implement something like that in my patch.

We will sooner or later drop the per-distro ifdeffery. Please don't even
start it for new code. Given that IMA is still new, please make sure to
adopt configuration fails that are the same across all distributions.

> >Also, I certainly have no such things in my system and see no point in
> >calling ima_setup() on it. Or even compiling the source file in such
> >case.
> >
> 
> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
> statement, as it happens for SELinux. However an issue is that there
> is no a specific package for IMA that can be checked to set the
> HAVE_IMA
> definition to yes. Instead, the code can be enabled for example by
> adding the parameter '--enable_ima' in the configure script.

Sounds good.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Wed, 15.02.12 14:23, Roberto Sassu (rob...@po...) wrote:

> The new function ima_setup() loads an IMA custom policy from a file in the
> default location '/etc/sysconfig/ima-policy', if present, and writes it to
> the path 'ima/policy' in the security filesystem. This function is executed
> at early stage in order to avoid that some file operations are not measured
> by IMA and it is placed after the initialization of SELinux because IMA
> needs the latter (or other security modules) to understand LSM-specific
> rules.

This must be a configure option. I am pretty sure most embedded people
don't require this feature.

The kernel side of things is merged upstream I presume? (We generally
only want to support stuff in our code that is merged upstream itself)

> +#define IMA_SECFS_DIR SECURITYFS_MNTPOINT "/ima"
> +#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"

Please use proper strings for this. (see my earlier mail)

> +#define IMA_POLICY_PATH "/etc/sysconfig/ima-policy"

This is a Fedoraism. Please introduce a proper configuration file for this.

> +
> +int ima_setup(void) {
> +       struct stat st;
> +       ssize_t policy_size = 0, written = 0;
> +       char *policy;
> +       int policyfd = -1, imafd = -1;
> +       int result = 0;
> +
> +#ifndef HAVE_SELINUX
> +       /* Mount the securityfs filesystem */
> +       mount_setup_early();
> +#endif
> +
> +       if (stat(IMA_POLICY_PATH, &st) == -1)
> +               return 0;

We tend to do "< 0" instead of "== -1" checks for syscall
failures. Might be good to use the same here, but this is not necessary
for getting this merged.

> +
> +       policyfd = open(IMA_POLICY_PATH, O_RDONLY);

We tend to add O_CLOEXEC to all fds we open, just for being
paranoid. Please do so here, too, to avoid surprise and avoid exceptions
when people grep for all open() invocations looking for O_CLOEXEC.

> +       if (policyfd < 0) {
> +               log_error("Failed to open the IMA custom policy file %s (%s), "
> +                         "ignoring.", IMA_POLICY_PATH, strerror(errno));
> +               return 0;
> +       }

Consider using %m instead of %s and strerror(errno).

> +       imafd = open(IMA_SECFS_POLICY, O_WRONLY);

Also O_CLOEXEC please.

> +       if (imafd < 0) {
> +               log_error("Failed to open the IMA kernel interface %s (%s), "
> +                         "ignoring.", IMA_SECFS_POLICY, strerror(errno));
> +               goto out;
> +       }
> +
> +       policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
> +       if (policy == NULL) {

mmap() returns MAP_FAILED (i.e. (void) -1) on failure, not NULL. This
check needs to be fixed.

> +               log_error("mmap() failed (%s), freezing", strerror(errno));
> +               result = -errno;
> +               goto out;
> +       }
> +
> +       while(written < policy_size) {
> +               ssize_t len = write(imafd, policy + written,
> +                                   policy_size - written);
> +               if (len <= 0) {
> +                         log_error("Failed to load the IMA custom policy "
> +                                   "file %s (%s), ignoring.", IMA_POLICY_PATH,
> +                                   strerror(errno));
> +                         goto out_mmap;
> +               }
> +               written += len;
> +       }

It might make sense to use loop_write() here instead, which does more or
less this loop, and is defined in util.c anyway.

Otherwise looks good.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 1/2] systemd: mount the securityfs filesystem at early stage

[Lennart P. <le...@po...>]

On Wed, 15.02.12 14:23, Roberto Sassu (rob...@po...) wrote:

> The mount of the securityfs filesystem is now performed in the main systemd
> executable as it is used by IMA to provide the interface for loading custom
> policies. The unit file 'units/sys-kernel-security.mount' has been removed
> because it is not longer necessary.
>  
> +#define SECURITYFS_MNTPOINT "/sys/kernel/security"
> +

Just use the proper path name here. Not sure why we would want a macro
for this, as things are simpler with literal strings for this, the path
is unlikely to change and we generaly don't do this for any of the other
paths.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] Enforcing signatures with IMA

[Mimi Z. <zo...@li...>]

On Fri, 2012-02-17 at 14:30 +1100, m.c...@gm... wrote:

> Thanks very much for your feedback. I will work on getting the right
> LSM labels added so I check signatures only on the data I want.
> 
> If you don't mind (since I'm lost after reading the wiki) could you
> please suggest some kernel parameters to make all this happen, and
> what policy parameters I would need to only appraise but not measure?
> Sorry but the wiki is currently not specific enough to explain this.

I'm working with Dmitry on updating the wiki.  Hopefully it will answer
your questions.

> What I also failed to mention was that I wanted the machine to refuse
> to load a file that has been tampered with (excluding live data such
> as logs of course which will be filtered by the appropriate LSM
> labelling).

Understood.  EVM verifies and enforces file metadata integrity.
IMA-appraisal verifies and enforces file data integrity.  The
IMA-appraisal patches have not been upstreamed, but are available from
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
#next-ima-appraisal.

thanks,

Mimi

Re: [Linux-ima-user] Enforcing signatures with IMA

[<m.c...@gm...>]

<html><head>
<meta http-equiv="content-type" content="text/html; charset=us-ascii">
<title>Re: [Linux-ima-user] Enforcing signatures with IMA</title>
</head><body><br>
<br>
<div class="gmail_quote">On 16 February 2012 23:36, Mimi Zohar <span
dir="ltr">&lt;zo...@li...&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex;"><div class="im">On Thu, 2012-02-16 at 17:02
+1100, Michael Cassaniti wrote:<br>
&gt; Hi All,<br>
&gt; I was wondering if it would be possible to do the following with
IMA<br>
&gt; and EVM:<br>
</div>
&gt; &#160; &#160; &#160;1. Check the EVM side of things for every file
opened/executed,<br>
<div class="im">&gt; &#160; &#160; &#160; &#160; excluding a few file
paths. I primarily want to have<br>
&gt; &#160; &#160; &#160; &#160; signatures on all executables and
configuration files, but not<br>
&gt; &#160; &#160; &#160; &#160; live data.<br>
<br>
</div>
Filepaths are not supported, but you can identify files to be<br>
included/excluded by LSM obj/subj label. &#160;For example, the SELinux<br>
labels for /var/log/messages is:<br>
<br>
# getfattr -m ^security --dump /var/log/messages<br>
getfattr: Removing leading '/' from absolute path names<br>
# file: var/log/messages<br>
security.selinux="system_u:<wbr>object_r:var_log_t:s0"<br>
<br>
To exclude /var/log/messages, the IMA measurement/appraise policy would<br>
contain,<br>
# var_log_t files<br>
dont_measure obj_type=var_log_t<br>
dont_appraise obj_type=var_log_t<br>
<br>
&gt; &#160; &#160; &#160;1. Force that IMA/EVM attributes do not change
under normal<br>
<div class="im">&gt; &#160; &#160; &#160; &#160; conditions. The machine
would need to be rebooted and have the<br>
&gt; &#160; &#160; &#160; &#160; kernel options changed to support
attribute overwriting.<br>
<br>
</div>
The 'security.ima' xattr containing a digital signature will not change,<br>
even on reboot in fix mode, but 'security.evm' could be updated when<br>
other metdata changes.<br>
<br>
&gt; &#160; &#160; &#160;1. Not extend the TPM PCR. I'm not trying to use
IMA for remote<br>
<div class="im">&gt; &#160; &#160; &#160; &#160; attestation, but rather
for ensuring the code and<br>
&gt; &#160; &#160; &#160; &#160; configuration on my machines haven't been
tampered with.<br>
<br>
</div>
Yes, modify the IMA policy so that nothing is measured, only appraised.<br>
<div class="im"><br>
&gt; Now I did read the wiki before posting to the list. I did find<br>
&gt; information regarding the ima_appraise option, but all it says is
what<br>
&gt; the possible values are, not what they actually mean. I think
someone<br>
&gt; should make that explicit in the wiki. The evm option doesn't have
any<br>
&gt; mention of allowed values, nor a table stating what it all means.<br>
<br>
&gt; So, could someone please update these in the wiki, and is it
possible<br>
&gt; to achieve my objectives from above (the last one isn't a must)?<br>
&gt;<br>
&gt; Regards,<br>
&gt; Michael Cassaniti<br>
<br>
</div>
linux-ima is dated and definitely needs to be updated. The updated wiki<br>
will include a section on the new digital signatures. &#160;Thank you
for<br>
your suggestions.<br>
<br>
thanks,<br>
<br>
Mimi<br>
<br>
</blockquote>
</div>
Thanks very much for your feedback. I will work on 
getting the right LSM labels added so I check signatures only on the data I 
want.<br>
<br>
If you don't mind (since I'm lost after reading the wiki) could
 you please suggest some kernel parameters to make all this happen, and what
 policy parameters I would need to only appraise but not measure? Sorry but 
the wiki is currently not specific enough to explain this.<br>
<br>
What I 
also failed to mention was that I wanted the machine to refuse to load a 
file that has been tampered with (excluding live data such as logs of course
 which will be filtered by the appropriate LSM labelling).<br>
<br>
Thank you,<br>
Michael Cassaniti<br>
<a href="http://mcassaniti.dyndns.org" target="_blank"
>http://mcassaniti.dyndns.org</a><br>
<br>
</body></html>

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Gustavo S. B. <bar...@pr...>]

On Thu, Feb 16, 2012 at 12:35 PM, Roberto Sassu <rob...@po...> wrote:
> On 02/16/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>>
>> On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu<rob...@po...>
>>  wrote:
>>>
>>> On 02/16/2012 05:56 AM, Michael Cassaniti wrote:
>>>>
>>>>
>>>> On 16/02/2012 04:12, Roberto Sassu wrote:
>>>>>
>>>>>
>>>>> On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
>>>>>>
>>>>>>
>>>>>> On Wed, Feb 15, 2012 at 2:26 PM, Roberto
>>>>>> Sassu<rob...@po...>  wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto
>>>>>>>> Sassu<rob...@po...>  wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The new function ima_setup() loads an IMA custom policy from a
>>>>>>>>> file in the
>>>>>>>>> default location '/etc/sysconfig/ima-policy', if present, and
>>>>>>>>> writes it to
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> isn't /etc/sysconfig too specific to Fedora?
>>>>>>>>
>>>>>>> Hi Gustavo
>>>>>>>
>>>>>>> probably yes. I see the code in 'src/locale-setup.c' where the
>>>>>>> the configuration directory depends on the target distribution.
>>>>>>> I can implement something like that in my patch.
>>>>>>
>>>>>>
>>>>>> Can't IMA be changed? Lennart seems to be pushing for distribution
>>>>>> independent location files. If you can get IMA people to agree on
>>>>>> something, just use this one instead.
>>>>>>
>>>>>> People that use IMA with systemd must use this location. Eventually
>>>>>> this will happen with every configuration file we support.
>>>>>>
>>>>> The location of the policy file is not IMA dependent. I chose that
>>>>> because it seemed to me the right place where to put this file.
>>>>> So, i can easily modify the location to be distribution independent
>>>>> but i don't known which directory would be appropriate.
>>>>> Any proposal?
>>>>>
>>>>> Regards
>>>>>
>>>>> Roberto Sassu
>>>>>
>>>>>
>>>>>>>> Also, I certainly have no such things in my system and see no point
>>>>>>>> in
>>>>>>>> calling ima_setup() on it. Or even compiling the source file in such
>>>>>>>> case.
>>>>>>>>
>>>>>>> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
>>>>>>> statement, as it happens for SELinux. However an issue is that there
>>>>>>> is no a specific package for IMA that can be checked to set the
>>>>>>> HAVE_IMA
>>>>>>> definition to yes. Instead, the code can be enabled for example by
>>>>>>> adding the parameter '--enable_ima' in the configure script.
>>>>>>
>>>>>>
>>>>>> okay.
>>>>>>
>>>>>> --
>>>>>> Gustavo Sverzut Barbieri
>>>>>> http://profusion.mobi embedded systems
>>>>>> --------------------------------------
>>>>>> MSN: bar...@gm...
>>>>>> Skype: gsbarbieri
>>>>>> Mobile: +55 (19) 9225-2202
>>>>
>>>>
>>>> I'm under the impression this function belongs to a userspace tool. If
>>>> not then I just don't see a good reason that this patch is required. I
>>>> do understand that the IMA policy should be loaded as early as possible,
>>>> but I believe that early userspace scripts should be doing that work. If
>>>> it is a userspace function, then whatever makes you happy, other
>>>> distro's will roll their own.
>>>
>>>
>>>
>>> Thanks Mimi for your contribution. I just want to add some
>>> considerations.
>>>
>>>
>>>
>>> Hi Michael
>>>
>>> the reason for which the loading of IMA policies has been placed in
>>> the main Systemd executable is that the measurement process performed
>>> by IMA should start as early as possible. Otherwise, in order to build
>>> the 'chain of trust' during the boot process from the BIOS to software
>>> applications, it is required to measure those components loaded before
>>> IMA is initialized with other means (for example from the boot loader).
>>>
>>> The more the IMA initialization is postponed, greater is the number of
>>> components that must be measured using the second way. For instance,
>>> if the policy loading is done in a userspace script you have to measure
>>> the interpreter and the configuration files read by the latter.
>>>
>>> Since the policy loading can be implemented in different ways depending
>>> on the init system (systemd, upstart, ...), an user must identify the
>>> components to be measured for each case. Instead, if the IMA policy is
>>> loaded in the main Systemd executable, only this file must be measured
>>> by the boot loader.
>>
>>
>> Then I wonder: why not make an ima-init binary that:
>>   - does ima_setup()
>>   - exec systemd || upstart || ...
>>
>> this way you only have to audit this very small file and not systemd
>> itself, it's very early and so on.
>>
>
> This does not work because SELinux is initialized inside Systemd and IMA
> requires it for parsing LSM rules in the policy.

initramfs may do it as well, no? then systemd will inherit it.

I'm not using or reviewing the SELinux patches myself, so I may be
wrong. Let's see if someone will check the code or Lennart will say
what he did.

-- 
Gustavo Sverzut Barbieri
http://profusion.mobi embedded systems
--------------------------------------
MSN: bar...@gm...
Skype: gsbarbieri
Mobile: +55 (19) 9225-2202

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Roberto S. <rob...@po...>]

On 02/16/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
> On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu<rob...@po...>  wrote:
>> On 02/16/2012 05:56 AM, Michael Cassaniti wrote:
>>>
>>> On 16/02/2012 04:12, Roberto Sassu wrote:
>>>>
>>>> On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
>>>>>
>>>>> On Wed, Feb 15, 2012 at 2:26 PM, Roberto
>>>>> Sassu<rob...@po...>  wrote:
>>>>>>
>>>>>> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>>>>>>>
>>>>>>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto
>>>>>>> Sassu<rob...@po...>  wrote:
>>>>>>>>
>>>>>>>> The new function ima_setup() loads an IMA custom policy from a
>>>>>>>> file in the
>>>>>>>> default location '/etc/sysconfig/ima-policy', if present, and
>>>>>>>> writes it to
>>>>>>>
>>>>>>>
>>>>>>> isn't /etc/sysconfig too specific to Fedora?
>>>>>>>
>>>>>> Hi Gustavo
>>>>>>
>>>>>> probably yes. I see the code in 'src/locale-setup.c' where the
>>>>>> the configuration directory depends on the target distribution.
>>>>>> I can implement something like that in my patch.
>>>>>
>>>>> Can't IMA be changed? Lennart seems to be pushing for distribution
>>>>> independent location files. If you can get IMA people to agree on
>>>>> something, just use this one instead.
>>>>>
>>>>> People that use IMA with systemd must use this location. Eventually
>>>>> this will happen with every configuration file we support.
>>>>>
>>>> The location of the policy file is not IMA dependent. I chose that
>>>> because it seemed to me the right place where to put this file.
>>>> So, i can easily modify the location to be distribution independent
>>>> but i don't known which directory would be appropriate.
>>>> Any proposal?
>>>>
>>>> Regards
>>>>
>>>> Roberto Sassu
>>>>
>>>>
>>>>>>> Also, I certainly have no such things in my system and see no point in
>>>>>>> calling ima_setup() on it. Or even compiling the source file in such
>>>>>>> case.
>>>>>>>
>>>>>> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
>>>>>> statement, as it happens for SELinux. However an issue is that there
>>>>>> is no a specific package for IMA that can be checked to set the
>>>>>> HAVE_IMA
>>>>>> definition to yes. Instead, the code can be enabled for example by
>>>>>> adding the parameter '--enable_ima' in the configure script.
>>>>>
>>>>> okay.
>>>>>
>>>>> --
>>>>> Gustavo Sverzut Barbieri
>>>>> http://profusion.mobi embedded systems
>>>>> --------------------------------------
>>>>> MSN: bar...@gm...
>>>>> Skype: gsbarbieri
>>>>> Mobile: +55 (19) 9225-2202
>>>
>>> I'm under the impression this function belongs to a userspace tool. If
>>> not then I just don't see a good reason that this patch is required. I
>>> do understand that the IMA policy should be loaded as early as possible,
>>> but I believe that early userspace scripts should be doing that work. If
>>> it is a userspace function, then whatever makes you happy, other
>>> distro's will roll their own.
>>
>>
>> Thanks Mimi for your contribution. I just want to add some
>> considerations.
>>
>>
>>
>> Hi Michael
>>
>> the reason for which the loading of IMA policies has been placed in
>> the main Systemd executable is that the measurement process performed
>> by IMA should start as early as possible. Otherwise, in order to build
>> the 'chain of trust' during the boot process from the BIOS to software
>> applications, it is required to measure those components loaded before
>> IMA is initialized with other means (for example from the boot loader).
>>
>> The more the IMA initialization is postponed, greater is the number of
>> components that must be measured using the second way. For instance,
>> if the policy loading is done in a userspace script you have to measure
>> the interpreter and the configuration files read by the latter.
>>
>> Since the policy loading can be implemented in different ways depending
>> on the init system (systemd, upstart, ...), an user must identify the
>> components to be measured for each case. Instead, if the IMA policy is
>> loaded in the main Systemd executable, only this file must be measured
>> by the boot loader.
>
> Then I wonder: why not make an ima-init binary that:
>    - does ima_setup()
>    - exec systemd || upstart || ...
>
> this way you only have to audit this very small file and not systemd
> itself, it's very early and so on.
>

This does not work because SELinux is initialized inside Systemd and IMA
requires it for parsing LSM rules in the policy.

Regards

Roberto Sassu

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Gustavo S. B. <bar...@pr...>]

On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu <rob...@po...> wrote:
> On 02/16/2012 05:56 AM, Michael Cassaniti wrote:
>>
>> On 16/02/2012 04:12, Roberto Sassu wrote:
>>>
>>> On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
>>>>
>>>> On Wed, Feb 15, 2012 at 2:26 PM, Roberto
>>>> Sassu<rob...@po...> wrote:
>>>>>
>>>>> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>>>>>>
>>>>>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto
>>>>>> Sassu<rob...@po...> wrote:
>>>>>>>
>>>>>>> The new function ima_setup() loads an IMA custom policy from a
>>>>>>> file in the
>>>>>>> default location '/etc/sysconfig/ima-policy', if present, and
>>>>>>> writes it to
>>>>>>
>>>>>>
>>>>>> isn't /etc/sysconfig too specific to Fedora?
>>>>>>
>>>>> Hi Gustavo
>>>>>
>>>>> probably yes. I see the code in 'src/locale-setup.c' where the
>>>>> the configuration directory depends on the target distribution.
>>>>> I can implement something like that in my patch.
>>>>
>>>> Can't IMA be changed? Lennart seems to be pushing for distribution
>>>> independent location files. If you can get IMA people to agree on
>>>> something, just use this one instead.
>>>>
>>>> People that use IMA with systemd must use this location. Eventually
>>>> this will happen with every configuration file we support.
>>>>
>>> The location of the policy file is not IMA dependent. I chose that
>>> because it seemed to me the right place where to put this file.
>>> So, i can easily modify the location to be distribution independent
>>> but i don't known which directory would be appropriate.
>>> Any proposal?
>>>
>>> Regards
>>>
>>> Roberto Sassu
>>>
>>>
>>>>>> Also, I certainly have no such things in my system and see no point in
>>>>>> calling ima_setup() on it. Or even compiling the source file in such
>>>>>> case.
>>>>>>
>>>>> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
>>>>> statement, as it happens for SELinux. However an issue is that there
>>>>> is no a specific package for IMA that can be checked to set the
>>>>> HAVE_IMA
>>>>> definition to yes. Instead, the code can be enabled for example by
>>>>> adding the parameter '--enable_ima' in the configure script.
>>>>
>>>> okay.
>>>>
>>>> --
>>>> Gustavo Sverzut Barbieri
>>>> http://profusion.mobi embedded systems
>>>> --------------------------------------
>>>> MSN: bar...@gm...
>>>> Skype: gsbarbieri
>>>> Mobile: +55 (19) 9225-2202
>>
>> I'm under the impression this function belongs to a userspace tool. If
>> not then I just don't see a good reason that this patch is required. I
>> do understand that the IMA policy should be loaded as early as possible,
>> but I believe that early userspace scripts should be doing that work. If
>> it is a userspace function, then whatever makes you happy, other
>> distro's will roll their own.
>
>
> Thanks Mimi for your contribution. I just want to add some
> considerations.
>
>
>
> Hi Michael
>
> the reason for which the loading of IMA policies has been placed in
> the main Systemd executable is that the measurement process performed
> by IMA should start as early as possible. Otherwise, in order to build
> the 'chain of trust' during the boot process from the BIOS to software
> applications, it is required to measure those components loaded before
> IMA is initialized with other means (for example from the boot loader).
>
> The more the IMA initialization is postponed, greater is the number of
> components that must be measured using the second way. For instance,
> if the policy loading is done in a userspace script you have to measure
> the interpreter and the configuration files read by the latter.
>
> Since the policy loading can be implemented in different ways depending
> on the init system (systemd, upstart, ...), an user must identify the
> components to be measured for each case. Instead, if the IMA policy is
> loaded in the main Systemd executable, only this file must be measured
> by the boot loader.

Then I wonder: why not make an ima-init binary that:
  - does ima_setup()
  - exec systemd || upstart || ...

this way you only have to audit this very small file and not systemd
itself, it's very early and so on.

-- 
Gustavo Sverzut Barbieri
http://profusion.mobi embedded systems
--------------------------------------
MSN: bar...@gm...
Skype: gsbarbieri
Mobile: +55 (19) 9225-2202

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Roberto S. <rob...@po...>]

On 02/16/2012 05:56 AM, Michael Cassaniti wrote:
> On 16/02/2012 04:12, Roberto Sassu wrote:
>> On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
>>> On Wed, Feb 15, 2012 at 2:26 PM, Roberto
>>> Sassu<rob...@po...> wrote:
>>>> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>>>>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto
>>>>> Sassu<rob...@po...> wrote:
>>>>>> The new function ima_setup() loads an IMA custom policy from a
>>>>>> file in the
>>>>>> default location '/etc/sysconfig/ima-policy', if present, and
>>>>>> writes it to
>>>>>
>>>>> isn't /etc/sysconfig too specific to Fedora?
>>>>>
>>>> Hi Gustavo
>>>>
>>>> probably yes. I see the code in 'src/locale-setup.c' where the
>>>> the configuration directory depends on the target distribution.
>>>> I can implement something like that in my patch.
>>> Can't IMA be changed? Lennart seems to be pushing for distribution
>>> independent location files. If you can get IMA people to agree on
>>> something, just use this one instead.
>>>
>>> People that use IMA with systemd must use this location. Eventually
>>> this will happen with every configuration file we support.
>>>
>> The location of the policy file is not IMA dependent. I chose that
>> because it seemed to me the right place where to put this file.
>> So, i can easily modify the location to be distribution independent
>> but i don't known which directory would be appropriate.
>> Any proposal?
>>
>> Regards
>>
>> Roberto Sassu
>>
>>
>>>>> Also, I certainly have no such things in my system and see no point in
>>>>> calling ima_setup() on it. Or even compiling the source file in such
>>>>> case.
>>>>>
>>>> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
>>>> statement, as it happens for SELinux. However an issue is that there
>>>> is no a specific package for IMA that can be checked to set the
>>>> HAVE_IMA
>>>> definition to yes. Instead, the code can be enabled for example by
>>>> adding the parameter '--enable_ima' in the configure script.
>>> okay.
>>>
>>> --
>>> Gustavo Sverzut Barbieri
>>> http://profusion.mobi embedded systems
>>> --------------------------------------
>>> MSN: bar...@gm...
>>> Skype: gsbarbieri
>>> Mobile: +55 (19) 9225-2202
> I'm under the impression this function belongs to a userspace tool. If
> not then I just don't see a good reason that this patch is required. I
> do understand that the IMA policy should be loaded as early as possible,
> but I believe that early userspace scripts should be doing that work. If
> it is a userspace function, then whatever makes you happy, other
> distro's will roll their own.

Thanks Mimi for your contribution. I just want to add some
considerations.



Hi Michael

the reason for which the loading of IMA policies has been placed in
the main Systemd executable is that the measurement process performed
by IMA should start as early as possible. Otherwise, in order to build
the 'chain of trust' during the boot process from the BIOS to software 
applications, it is required to measure those components loaded before
IMA is initialized with other means (for example from the boot loader).

The more the IMA initialization is postponed, greater is the number of
components that must be measured using the second way. For instance,
if the policy loading is done in a userspace script you have to measure
the interpreter and the configuration files read by the latter.

Since the policy loading can be implemented in different ways depending
on the init system (systemd, upstart, ...), an user must identify the
components to be measured for each case. Instead, if the IMA policy is
loaded in the main Systemd executable, only this file must be measured
by the boot loader.

Regards

Roberto Sassu

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Mimi Z. <zo...@li...>]

On Thu, 2012-02-16 at 15:56 +1100, Michael Cassaniti wrote:
> On 16/02/2012 04:12, Roberto Sassu wrote:
> > On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
> >> On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassu<rob...@po...>   wrote:
> >>> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
> >>>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<rob...@po...>     wrote:
> >>>>> The new function ima_setup() loads an IMA custom policy from a file in the
> >>>>> default location '/etc/sysconfig/ima-policy', if present, and writes it to
> >>>>
> >>>> isn't /etc/sysconfig too specific to Fedora?
> >>>>
> >>> Hi Gustavo
> >>>
> >>> probably yes. I see the code in 'src/locale-setup.c' where the
> >>> the configuration directory depends on the target distribution.
> >>> I can implement something like that in my patch.
> >> Can't IMA be changed? Lennart seems to be pushing for distribution
> >> independent location files. If you can get IMA people to agree on
> >> something, just use this one instead.
> >>
> >> People that use IMA with systemd must use this location. Eventually
> >> this will happen with every configuration file we support.
> >>
> > The location of the policy file is not IMA dependent. I chose that
> > because it seemed to me the right place where to put this file.
> > So, i can easily modify the location to be distribution independent
> > but i don't known which directory would be appropriate.
> > Any proposal?
> >
> > Regards
> >
> > Roberto Sassu
> >
> >
> >>>> Also, I certainly have no such things in my system and see no point in
> >>>> calling ima_setup() on it. Or even compiling the source file in such
> >>>> case.
> >>>>
> >>> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
> >>> statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA
> >>> definition to yes. Instead, the code can be enabled for example by
> >>> adding the parameter '--enable_ima' in the configure script.
> >> okay.
> >>
> >> --
> >> Gustavo Sverzut Barbieri
> >> http://profusion.mobi embedded systems
> >> --------------------------------------
> >> MSN: bar...@gm...
> >> Skype: gsbarbieri
> >> Mobile: +55 (19) 9225-2202

> I'm under the impression this function belongs to a userspace tool. If 
> not then I just don't see a good reason that this patch is required. I 
> do understand that the IMA policy should be loaded as early as possible, 
> but I believe that early userspace scripts should be doing that work. If 
> it is a userspace function, then whatever makes you happy, other 
> distro's will roll their own.

The default 'ima_tcb' measurement policy measures all files executed,
all files mmapped, and all files read by root.  Not all of these files
need to be measured, but until the LSM policy is loaded, there is no
means of identifying files in order to constrain the policy.

Secondly, the 'security.ima' xattr, for files included in the IMA
appraisal policy, is updated on __fput() to reflect changes.  Depending
on when the policy is updated, this could cause the file's real value
and the xattr stored value to be out of sync, resulting in integrity
verification failures.

As the IMA policy definition can be based on LSM obj/subj labels, the
policy needs to be loaded as early as possible, but only after the LSM
policy has been loaded.

thanks,

Mimi

Re: [Linux-ima-user] Enforcing signatures with IMA

[Mimi Z. <zo...@li...>]

On Thu, 2012-02-16 at 17:02 +1100, Michael Cassaniti wrote:
> Hi All,
> I was wondering if it would be possible to do the following with IMA
> and EVM:
>      1. Check the EVM side of things for every file opened/executed,
>         excluding a few file paths. I primarily want to have
>         signatures on all executables and configuration files, but not
>         live data.

Filepaths are not supported, but you can identify files to be
included/excluded by LSM obj/subj label.  For example, the SELinux
labels for /var/log/messages is:

# getfattr -m ^security --dump /var/log/messages
getfattr: Removing leading '/' from absolute path names
# file: var/log/messages
security.selinux="system_u:object_r:var_log_t:s0"

To exclude /var/log/messages, the IMA measurement/appraise policy would
contain,
# var_log_t files
dont_measure obj_type=var_log_t
dont_appraise obj_type=var_log_t

>      1. Force that IMA/EVM attributes do not change under normal
>         conditions. The machine would need to be rebooted and have the
>         kernel options changed to support attribute overwriting.

The 'security.ima' xattr containing a digital signature will not change,
even on reboot in fix mode, but 'security.evm' could be updated when
other metdata changes. 

>      1. Not extend the TPM PCR. I'm not trying to use IMA for remote
>         attestation, but rather for ensuring the code and
>         configuration on my machines haven't been tampered with.

Yes, modify the IMA policy so that nothing is measured, only appraised.

> Now I did read the wiki before posting to the list. I did find
> information regarding the ima_appraise option, but all it says is what
> the possible values are, not what they actually mean. I think someone
> should make that explicit in the wiki. The evm option doesn't have any
> mention of allowed values, nor a table stating what it all means.

> So, could someone please update these in the wiki, and is it possible
> to achieve my objectives from above (the last one isn't a must)?
> 
> Regards,
> Michael Cassaniti

linux-ima is dated and definitely needs to be updated. The updated wiki
will include a section on the new digital signatures.  Thank you for
your suggestions.

thanks,

Mimi

[Linux-ima-user] Enforcing signatures with IMA

[Michael C. <m.c...@gm...>]

Hi All,
I was wondering if it would be possible to do the following with IMA and 
EVM:

 1. Check the EVM side of things for _every_ file opened/executed,
    excluding a few file paths. I primarily want to have signatures on
    all executables and configuration files, but not live data.
 2. Force that IMA/EVM attributes do not change under normal conditions.
    The machine would need to be rebooted and have the kernel options
    changed to support attribute overwriting.
 3. _Not_ extend the TPM PCR. I'm not trying to use IMA for remote
    attestation, but rather for ensuring the code and configuration on
    my machines haven't been tampered with.

Now I did read the wiki before posting to the list. I did find 
information regarding the ima_appraise option, but all it says is what 
the possible values are, not what they actually mean. I think someone 
should make that explicit in the wiki. The evm option doesn't have any 
mention of allowed values, nor a table stating what it all means.

So, could someone please update these in the wiki, and is it possible to 
achieve my objectives from above (the last one isn't a must)?

Regards,
Michael Cassaniti

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Michael C. <m.c...@gm...>]

On 16/02/2012 04:12, Roberto Sassu wrote:
> On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
>> On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassu<rob...@po...>   wrote:
>>> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>>>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<rob...@po...>     wrote:
>>>>> The new function ima_setup() loads an IMA custom policy from a file in the
>>>>> default location '/etc/sysconfig/ima-policy', if present, and writes it to
>>>>
>>>> isn't /etc/sysconfig too specific to Fedora?
>>>>
>>> Hi Gustavo
>>>
>>> probably yes. I see the code in 'src/locale-setup.c' where the
>>> the configuration directory depends on the target distribution.
>>> I can implement something like that in my patch.
>> Can't IMA be changed? Lennart seems to be pushing for distribution
>> independent location files. If you can get IMA people to agree on
>> something, just use this one instead.
>>
>> People that use IMA with systemd must use this location. Eventually
>> this will happen with every configuration file we support.
>>
> The location of the policy file is not IMA dependent. I chose that
> because it seemed to me the right place where to put this file.
> So, i can easily modify the location to be distribution independent
> but i don't known which directory would be appropriate.
> Any proposal?
>
> Regards
>
> Roberto Sassu
>
>
>>>> Also, I certainly have no such things in my system and see no point in
>>>> calling ima_setup() on it. Or even compiling the source file in such
>>>> case.
>>>>
>>> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
>>> statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA
>>> definition to yes. Instead, the code can be enabled for example by
>>> adding the parameter '--enable_ima' in the configure script.
>> okay.
>>
>> --
>> Gustavo Sverzut Barbieri
>> http://profusion.mobi embedded systems
>> --------------------------------------
>> MSN: bar...@gm...
>> Skype: gsbarbieri
>> Mobile: +55 (19) 9225-2202
I'm under the impression this function belongs to a userspace tool. If 
not then I just don't see a good reason that this patch is required. I 
do understand that the IMA policy should be loaded as early as possible, 
but I believe that early userspace scripts should be doing that work. If 
it is a userspace function, then whatever makes you happy, other 
distro's will roll their own.