Re: [Linux-ima-user] IMA and MAC labels integrity check

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sat, 2009-10-03 at 01:08 +0600, Shaz wrote:
> 
> 
> On Fri, Oct 2, 2009 at 8:27 PM, Roberto Sassu
> <rob...@po...> wrote:
>         Hi all
>         
>         i'm trying to protect the integrity of labels used by a
>         Mandatory Access
>         Control to enforce security policies.
>         
>         I see that it's possible to create custom ima policies that
>         permit to find with
>         more fine granularity objects of the system to be measured.
>         
>         In SELinux i have such transition:
>         
>         type_transition initrc_t myapp_exec_t:process myapp_t;
>         
>         and such type of executable is the only entrypoint for the
>         domain myapp_t.
>         
>         Instead of adding an hmac signature over the executable, i'm
>         thinking of
>         modify IMA in order to measure and verify the binary against a
>         value
>         previously collected and to allow/deny the operation requested
>         depending on
>         the result.
>         
>         I can have a rule that filter the execve of myapp by writing
>         such ima policy:
>         
>         obj_type=myapp_exec_t func=BPRM_CHECK
>         
>         with the addition:
>         HASH=<good value>
>         
>         In such case, if the calculated hash is different, IMA will
>         deny the operation.
>         Does this proposal addresses the issue?
>         
> 
> IMA works as a trusted boot not secure boot so it will load the binary
> but report it as a bad SHA1 hash. SHA1 is the default but HMAC is also
> an option.  SELinux is trustworthy as long as you can trust the system
> administrator. So if your policy is correct and labeling rules are
> correct and intact then your problem will be solved. IMA only reports
> if the software is the expected one. You can measure file context
> labeling file to be sure that your application will get the same label
> that you expect but that is too static for me :)
>  
>         Thanks for replies.
> 
> 
> -- 
> Shaz

Roberto,

Thanks Shaz! Now that IMA is in the Linux kernel.  We are working on
adding hash verification to IMA, based on our earlier EVM work. For more
information on EVM, refer to:
http://lists.jammed.com/linux-security-module/2005/11/0011.html

“Trusted Computing and Open Source”, D. Safford, M. Zohar, Elsevier
Information Security Technical Report, Volume 10 Issue 2, pp 74-82 2005.

Mimi