Re: [Linux-ima-user] Looking for definition of ima behavior "importing" signatures and hashes.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Somehow I skipped past the answer to one question last night when I looked at the wiki...

>From: Curtis Veit
>Sent: Tuesday, June 16, 2015 7:58 AM
>To: 'lin...@li...'
>Subject: Looking for definition of ima behavior "importing" signatures and hashes.
>
> I've mentioned seeing odd behavior copying hashes and signatures using rsync and tar.
>Is there documentation anywhere describing the expected behavior?
>
>A couple examples. I just switched kernels from my own with ima-sig and hashes=sha256 built in to a standard
>Ubuntu kernel and now all hashes and signatures get changes automatically to sha1.   I guess this should be expected >but was a surprise in a way. (Apparently Ubuntu is shipping a kernel that defaults to sha1)
>
>Things that seem to affect the behavior creating the hash or signature.
>
>IMA kernel Mode: ima ima-ng or ima-sig
>IMA hash default: sha1 sha256, sha512
>(Can anyone tell me what the kernel command line arguments are for these two items?)

>From the wiki: Controlling IMA

ima_template= template used
Format: { "ima" | "ima-ng" | "ima-sig" }
NEW Linux 3.13 default: "ima-ng"

ima_hash= hash used
Format: { "sha1" | "md5" | "sha256" | "sha512" | "wp512" | ... }
'ima' template default: "sha1"
NEW Linux 3.13 default: "sha256"

Note that Ubuntu kernels seem to be using sha1 as the default on kernels after 3.13

>
>IMA can also be in a state where the xattrs are simply dropped when the copy is done.
>(Can anyone point me to an explanation of conditions that must be met for the xattr to be retained?)
>This may be related to the policy that is currently in force.  And seems to work when in either fix or
>Enforcing mode.
>There are times I think I should be in enforcing mode but hashes are dropped. I am not certain
>if it is because I am not actually in enforcing mode or because the policy I loaded is bad.
>Is there a definition for how policy settings affect the restoration of IMA xattrs when copying
>with tar or rsync?
>
>Any help on this would be profoundly appreciated!  (pointer to docs and/or the place the code implements the >behavior or specific explanations would be very helpful.)
>
>Best regards,
>Curtis