Menu
▾
▴
Re: [Linux-ima-user] copying files with security.ima xattr
|
From: Patrick O. <pat...@in...> - 2016-07-18 12:21:54
|
On Mon, 2016-07-18 at 08:08 -0400, Mimi Zohar wrote: > Commit c68ed80 "ima: limit file hash setting by user to fix and log > modes" is a form of system hardening. Before reverting it, let's see if > there is another option. > > Could we summarize the problem as: > - the kernel prevents writing security.ima hashes. > - the kernel only writes security.ima hashes for files that are in > policy. > - the userspace tool doesn't know what is in/out of policy. > - the userspace tool doesn't differentiate between hashes and > signatures. > - the boot process doesn't permit changing the boot command line options > (eg. fix mode). > - the update tool compares file data and metadata with those on the > server Correct. > Currently, you said there is no IMA policy. Would it make sense to > invert that to all files are in policy? That way the kernel would write > the file hash as security.ima on all files (that are not signed). > > The file metadata would match the update server. Only the userspace > tool (bsdtar) would need to be modified to selectively write xattrs - > either no security.ima xattrs or only security.ima file signatures. This would work, but I don't like the prospect of having to patch bsdtar like that. Including or excluding xattrs by name is conceptually okay (GNU tar has that), but filtering by value of an xattr adds domain-specific knowledge to bsdtar which just doesn't belong there. Perhaps some custom tool build on top of libarchive would be okay - basically a custom "bsdtar -xf -". -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. |
