Menu
▾
▴
Re: [Linux-ima-user] Initramfs and IMA Appraisal
|
From: Dmitry K. <d.k...@sa...> - 2014-11-14 08:02:49
|
On 12/11/14 23:20, Mimi Zohar wrote: > On Wed, 2014-11-12 at 19:49 +0100, Christophe Fillot wrote: >> Hello all, >> >> I have built a Debian test system in a VM with IMA appraisal, my goal is >> that all binaries/libraries >> on the system must be signed. No user (even root) should be able to run >> an unsigned binary. >> >> I load the IMA policy from an initramfs script and it contains these >> lines (as the default kernel policy): >> >> [...] >> # TMPFS_MAGIC = 0x01021994 >> dont_measure fsmagic=0x01021994 >> dont_appraise fsmagic=0x01021994 >> # RAMFS_MAGIC = 0x858458f6 >> dont_measure fsmagic=0x858458f6 >> dont_appraise fsmagic=0x858458f6 >> [...] >> >> This is required because the initramfs is a cpio archive (without >> support of xattrs) loaded into a ramfs. > Right, a general solution would be to add an initramfs archive format, > which supports extended attributes, to the Linux kernel and remove the > don't appraise ramfs rules. (The don't measure rule was already removed > in commit 08de59e Revert "ima: policy for RAMFS".) > >> The problem is that after boot, root is able to mount a tmpfs/ramfs FS >> and can run binaries from it. > For now, the simplest option is to replace the default policy from the > initramfs just before pivoting root. > >> I would like to have some feedback / suggestions on how people handle >> this case ? > If you're building your own kernel, another option is Dmitry's [PATCH v4 > 0/6] ima: provide signature based 'init' appraisal patch set, which are > available from here: > https://git.kernel.org/cgit/linux/kernel/git/zohar/linux-integrity.git/log/?h=next-init-v4 > > This option requires a bit more effort, but actually works. :) > > Mimi Hi, Right, until we get xattrs support in initramfs, it is not possible to use it. We built in all necessary modules to the kernel and run from rootfs straight away. Shortly I will update IMA wiki to describe how to prepare signed user-space initialization scripts. BR, Dmitry > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > |
