linux-ima-user

Re: [Linux-ima-user] [systemd-devel] [PATCH 1/2] systemd: mount the securityfs filesystem at early stage

[Roberto S. <rob...@po...>]

On 02/20/2012 06:04 PM, Lennart Poettering wrote:
> On Wed, 15.02.12 14:23, Roberto Sassu (rob...@po...) wrote:
>
>> The mount of the securityfs filesystem is now performed in the main systemd
>> executable as it is used by IMA to provide the interface for loading custom
>> policies. The unit file 'units/sys-kernel-security.mount' has been removed
>> because it is not longer necessary.
>>
>> +#define SECURITYFS_MNTPOINT "/sys/kernel/security"
>> +
>
> Just use the proper path name here. Not sure why we would want a macro
> for this, as things are simpler with literal strings for this, the path
> is unlikely to change and we generaly don't do this for any of the other
> paths.
>

Hi Lennart

thanks for the review! I'm starting to address issues now.

I created the above macro to avoid that changing this path breaks
other code, but probably yes, its value is unlikely to change.
I will remove it.


Roberto Sassu


> Lennart
>

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart P. <le...@po...>]

On Mon, 20.02.12 19:36, Roberto Sassu (rob...@po...) wrote:

> 
> On 02/20/2012 06:14 PM, Lennart Poettering wrote:
> >On Wed, 15.02.12 18:12, Roberto Sassu (rob...@po...) wrote:
> >
> >>The location of the policy file is not IMA dependent. I chose that
> >>because it seemed to me the right place where to put this file.
> >>So, i can easily modify the location to be distribution independent
> >>but i don't known which directory would be appropriate.
> >>Any proposal?
> >
> >/etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates.
> >
> 
> I prefer the first one, because the second pathname raises the problem
> of creating a new subdirectory. However, i think we should keep the
> word 'policy' in the file name to avoid users believe that is a
> configuration file.

Creating a subdir is a problem? How so?

You should use a subdir /etc/ima/ if there's the chance that sooner or
later you might have to add another config file of some sorts to IMA. If
you are really sure that never happens, then you don't need the dir, but
if you are in doubt, better use one. (But this is the policy file,
right? so i figure you might end up with adding a conf file with options
like selinux' enforcing/permissive later on, so i think you should
better add a dir)

(Oh, and in contrast to what i suggested, if this is the policy file,
and not a configuration file, the .conf suffix of course makes little sense)

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Roberto S. <rob...@po...>]

On 02/20/2012 08:07 PM, Lennart Poettering wrote:
> On Mon, 20.02.12 19:36, Roberto Sassu (rob...@po...) wrote:
>
>>
>> On 02/20/2012 06:14 PM, Lennart Poettering wrote:
>>> On Wed, 15.02.12 18:12, Roberto Sassu (rob...@po...) wrote:
>>>
>>>> The location of the policy file is not IMA dependent. I chose that
>>>> because it seemed to me the right place where to put this file.
>>>> So, i can easily modify the location to be distribution independent
>>>> but i don't known which directory would be appropriate.
>>>> Any proposal?
>>>
>>> /etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates.
>>>
>>
>> I prefer the first one, because the second pathname raises the problem
>> of creating a new subdirectory. However, i think we should keep the
>> word 'policy' in the file name to avoid users believe that is a
>> configuration file.
>
> Creating a subdir is a problem? How so?
>

The problem i see is who creates the subdirectory. In the Systemd case,
i think this should be accomplished in the Makefile or in the RPM
script. Other boot solutions should implement something like that
and they need to create the subdirectory as well. This because, as
said above, there is no an IMA userspace package to perform the
operation. However, if the creation is made by the boot software
i think this should not be a problem.


> You should use a subdir /etc/ima/ if there's the chance that sooner or
> later you might have to add another config file of some sorts to IMA. If
> you are really sure that never happens, then you don't need the dir, but
> if you are in doubt, better use one. (But this is the policy file,
> right? so i figure you might end up with adding a conf file with options
> like selinux' enforcing/permissive later on, so i think you should
> better add a dir)
>

Ok, probably is better to add a new subdirectory to support additional
IMA configuration files. Maybe Mimi Zohar knows if there are plans
to introduce new files.


> (Oh, and in contrast to what i suggested, if this is the policy file,
> and not a configuration file, the .conf suffix of course makes little sense)
>

So, finally i think we can agree to use '/etc/ima/ima-policy' as
pathname for the IMA custom policy.

Thanks

Roberto Sassu


> Lennart
>

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[<m.c...@gm...>]

<html><head>
<meta http-equiv="content-type" content="text/html; charset=us-ascii">
<title>Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support
for loading IMA custom policies</title>
</head><body><br>
<br>
<div class="gmail_quote">On 22 February 2012 04:54, Mimi Zohar <span
dir="ltr">&lt;zo...@li...&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex;">Hi Roberto,<br>
<br>
The only package we have at the moment is Dmitry Kasatkin's evm-utils<br>
git://<a
href="http://linux-ima.git.sourceforge.net/gitroot/linux-ima/evm-utils"
target="_blank">linux-ima.git.<wbr>sourceforge.net/gitroot/linux-<wbr
>ima/evm-utils</a> used for<br>
labeling the filesystem with security.evm/security.ima digital<br>
signatures.<br>
<br>
There's still a lot left to do, but we've started updating the linux-ima<br>
Wiki:<br>
<a
href="https://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_
Page" target="_blank">https://sourceforge.net/apps/<wbr
>mediawiki/linux-ima/index.php?<wbr>title=Main_Page</a><br>
<div class="HOEnZb"><div class="h5"><br>
thanks,<br>
<br>
Mimi<br clear="all">
</div>
</div>
</blockquote>
</div>
<br>
Hi Mimi,<br>
Could you
 please elaborate on the wiki what the ima_appraise options actually mean? I
 can take a guess, but a simple table explaining exactly what they are would
 be useful. Same with the evm options.<br>
<br>
Additionally, the wiki (as I 
have read it) suggests that measuring is enabled and on when the ima_tcb 
kernel option is given. From what you've written on the list, it should be 
possible to appraise when a file is mmapped, opened or executed according to
 the policy without being measured. Can you make this a bit more explicit in
 the wiki, explaining what the measurement options are to enable/disable 
measurement? If this is done via the policy instead of via a kernel option, 
can you adjust that as well (I don't know if there's a policy option of 
appraise only)?<br>
<br>
You're doing some great work here. While I'm not 
using IMA for attestation, I'm planning on verifying all my configuration 
files and executables. The features you've got ready for the 3.3 merge seem 
to fit exactly what I'm after, but I need to know what to set in kernel 
first. Keep up the good work.<br>
<br>
-- <br>
Michael Cassaniti<br>
<a href="http://mcassaniti.dyndns.org" target="_blank"
>http://mcassaniti.dyndns.org</a><br>
<br>
</body></html>

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Mimi Z. <zo...@li...>]

On Wed, 2012-02-22 at 10:45 +1100, m.c...@gm... wrote:


> Hi Mimi,
> Could you please elaborate on the wiki what the ima_appraise options
> actually mean? I can take a guess, but a simple table explaining
> exactly what they are would be useful. Same with the evm options.

Thanks for the suggestions.

> Additionally, the wiki (as I have read it) suggests that measuring is
> enabled and on when the ima_tcb kernel option is given. From what
> you've written on the list, it should be possible to appraise when a
> file is mmapped, opened or executed according to the policy without
> being measured. Can you make this a bit more explicit in the wiki,
> explaining what the measurement options are to enable/disable
> measurement? If this is done via the policy instead of via a kernel
> option, can you adjust that as well (I don't know if there's a policy
> option of appraise only)?

These are all good questions.  For IMA measurement, the chain of trust
needs to be there before we access any files, including the measurement
policy; so we require a builtin policy.  Is this also necessary for
appraisal?  Perhaps, but I'm not sure.  It might suffice to provide
dracut, or equivalent, with the measurement/appraisal policy name on the
boot command line.

> You're doing some great work here. While I'm not using IMA for
> attestation, I'm planning on verifying all my configuration files and
> executables. The features you've got ready for the 3.3 merge seem to
> fit exactly what I'm after, but I need to know what to set in kernel
> first. Keep up the good work.

Thank you for your support!  Unfortunately, the benefits of the 3.3
features - verifying and appraising files - requires IMA-appraisal,
which is still a proposed patch set.

git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
#next-ima-appraisal

For the IMA-appraisal patches to be upstreamed, we most likely need some
additional reviews/Acks. :)  The patches were last posted
http://marc.info/?l=linux-security-module&m=133062939721505&w=2

thanks,

Mimi