Menu
▾
▴
Re: [Linux-ima-user] Enforcing signatures with IMA
|
From: Mimi Z. <zo...@li...> - 2012-02-17 04:16:19
|
On Fri, 2012-02-17 at 14:30 +1100, m.c...@gm... wrote: > Thanks very much for your feedback. I will work on getting the right > LSM labels added so I check signatures only on the data I want. > > If you don't mind (since I'm lost after reading the wiki) could you > please suggest some kernel parameters to make all this happen, and > what policy parameters I would need to only appraise but not measure? > Sorry but the wiki is currently not specific enough to explain this. I'm working with Dmitry on updating the wiki. Hopefully it will answer your questions. > What I also failed to mention was that I wanted the machine to refuse > to load a file that has been tampered with (excluding live data such > as logs of course which will be filtered by the appropriate LSM > labelling). Understood. EVM verifies and enforces file metadata integrity. IMA-appraisal verifies and enforces file data integrity. The IMA-appraisal patches have not been upstreamed, but are available from git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity #next-ima-appraisal. thanks, Mimi |
