Re: [Linux-ima-user] measurereq replacement

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

David Safford wrote:
>> Thank you for your quick answer. Could you provide for a short 
>> demonstartion using the IMA policies with LSM policies? It would help us 
>> a lot to see good examples to get a better understanding on the policy 
>> system.
>>
>> Nicolai
> 
> Using Smack labels for IMA measurement control.
> 
> IMA has a flexible policy language for specifying which files
> are to be measured or not measured. In some cases, a more 
> fined grained, or file-by-file control of measurement is desired.
> The IMA policy language can use LSM labels on individual files
> in the policy language for fine grained specifications, but
> this can be complex, particularly with SELinux as the LSM.
> 
> Smack provides a very simple way to label files for measurement,
> and the following example shows how to use it this way, using a
> label of 'M' to designate that a file is to be measured.
> 
> 1. Configure/compile/install/boot a kernel with IMA and Smack built in.
> 
> 2. mount smackfs and securityfs (for IMA):
>    - mkdir /smack
>    - add the following lines to /etc/fstab:
>         smackfs /smack  smackfs smackfsdef=* 0 0
>         securityfs /sys/kernel/security securityfs defaults 0 0
>    - mount /smack; mount /sys/kernel/security
> 
> 3. add a Smack policy for "M" (for objects which are to be measured):
>         "_ M rwxa"
>    The easiest way to do this is to create a file with exactly these
>    contents:
>       "_                       M                       rwxa"
>    and cat this file into /smack/load in an early init script.
>    Note that the file must be exactly these 52 bytes
>    ('_' 23 spaces, 'M', 23 spaces, "rwxa") without any trailing
>    null, newline, or spaces. Alternately you can install the smack
>    utilities, and use the program smackload to format and load the rule.
> 
> 4. load an IMA policy with the new rule "measure obj_user=M",
>    to tell IMA to measure all files with a Smack label of "M"
>    This can be combined with the default policy to measure all 
>    executables and to ignore virtual filesystems:
>         # PROC_SUPER_MAGIC
>         dont_measure fsmagic=0x9fa0
>         # SYSFS_MAGIC
>         dont_measure fsmagic=0x62656572
>         # DEBUGFS_MAGIC
>         dont_measure fsmagic=0x64626720
>         # TMPFS_MAGIC
>         dont_measure fsmagic=0x01021994
>         # SECURITYFS_MAGIC
>         dont_measure fsmagic=0x73636673
>         measure func=BPRM_CHECK
>         measure func=FILE_MMAP mask=MAY_EXEC
>         measure func=FILE_CHECK mask=MAY_READ obj_user=M
>    The policy is copied into /sys/kernel/security/ima/policy.
>    The policy should be loaded just after loading the Smack policy.
> 
> 5. label any files you want measured with an 'M' Smack label:
>         setfattr -n security.SMACK64 -v M file ...
> 
> That's it. 
> 
> In this mode, everything runs at Smack level "_", and we
> are using Smack just to query Smack's object (file) labels.
> 
> Note that in this mode, new files will by default will get a '_'
> label, so if you want new files to be measured, you have to 
> explicitly set their labels after they are first created.
> 
> dave

Unfortunately, our target device uses ymfs2 as its file system (android 
specific) which does not supports extended attributes/labels. I know 
that there is a patch for this used/provided by selinux. But for my 
feeling this is in a way not the cleanest solution.

Is there another way to use IMA for individual files without labels?

nicolai