Re: [Linux-ima-user] measurereq replacement

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> Thank you for your quick answer. Could you provide for a short 
> demonstartion using the IMA policies with LSM policies? It would help us 
> a lot to see good examples to get a better understanding on the policy 
> system.
> 
> Nicolai

Using Smack labels for IMA measurement control.

IMA has a flexible policy language for specifying which files
are to be measured or not measured. In some cases, a more 
fined grained, or file-by-file control of measurement is desired.
The IMA policy language can use LSM labels on individual files
in the policy language for fine grained specifications, but
this can be complex, particularly with SELinux as the LSM.

Smack provides a very simple way to label files for measurement,
and the following example shows how to use it this way, using a
label of 'M' to designate that a file is to be measured.

1. Configure/compile/install/boot a kernel with IMA and Smack built in.

2. mount smackfs and securityfs (for IMA):
   - mkdir /smack
   - add the following lines to /etc/fstab:
        smackfs /smack  smackfs smackfsdef=* 0 0
        securityfs /sys/kernel/security securityfs defaults 0 0
   - mount /smack; mount /sys/kernel/security

3. add a Smack policy for "M" (for objects which are to be measured):
        "_ M rwxa"
   The easiest way to do this is to create a file with exactly these
   contents:
      "_                       M                       rwxa"
   and cat this file into /smack/load in an early init script.
   Note that the file must be exactly these 52 bytes
   ('_' 23 spaces, 'M', 23 spaces, "rwxa") without any trailing
   null, newline, or spaces. Alternately you can install the smack
   utilities, and use the program smackload to format and load the rule.

4. load an IMA policy with the new rule "measure obj_user=M",
   to tell IMA to measure all files with a Smack label of "M"
   This can be combined with the default policy to measure all 
   executables and to ignore virtual filesystems:
        # PROC_SUPER_MAGIC
        dont_measure fsmagic=0x9fa0
        # SYSFS_MAGIC
        dont_measure fsmagic=0x62656572
        # DEBUGFS_MAGIC
        dont_measure fsmagic=0x64626720
        # TMPFS_MAGIC
        dont_measure fsmagic=0x01021994
        # SECURITYFS_MAGIC
        dont_measure fsmagic=0x73636673
        measure func=BPRM_CHECK
        measure func=FILE_MMAP mask=MAY_EXEC
        measure func=FILE_CHECK mask=MAY_READ obj_user=M
   The policy is copied into /sys/kernel/security/ima/policy.
   The policy should be loaded just after loading the Smack policy.

5. label any files you want measured with an 'M' Smack label:
        setfattr -n security.SMACK64 -v M file ...

That's it. 

In this mode, everything runs at Smack level "_", and we
are using Smack just to query Smack's object (file) labels.

Note that in this mode, new files will by default will get a '_'
label, so if you want new files to be measured, you have to 
explicitly set their labels after they are first created.

dave