Re: [Linux-ima-user] Single file measurement

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 2016-11-28 at 21:29 +0100, Svart Kanin wrote:
> Hi,
> thanks for the reply.
> > After accessing testfile.txt, does it appear in the measurement list
> > this point?
> 
> Yes after I access the file, it is listed in the measurement list
> ascii_runtime_measurements,
> but shouldn't it be already measured on reboot then as well even though the
> file has not been accessed yet?

On a hard boot, the measurement list starts out empty.  Based on policy,
measurements are added on file open, mmap, or execute.  On a soft reboot
(eg. kexec), we're working on carrying the measurements across kexec.

> Now not only the testFile.txt which was assigned the 'M' attribute is added
> to the measurement list,
> but every other file as well that is being accessed!?

What is measured is based on policy.

> 
> > The policy needs to be loaded on reboot.  dracut and systemd have
> > modules that load the IMA policy, but they're enabled by default.
> 
> This means that the policies should be loaded automatically already?

Oops,  that should have said that although there are dracut and systemd
modules for loading the policy,  they still need to be enabled.
> 
> > No, it doesn't require a reboot, but it does require the file system to
> > be mounted with i_version.  Otherwise, files that change aren't
> > re-measured.
> 
> So if the filesystem is mounted with i_version, and labels are going to
> assigned,
> then the file should be measured immediately as soon as the label has been
> assigned,
> and not when the file is accessed the first time?

No, reading/writing xattrs does not access the file itself.  So the file
is not measured, even with the file_check rule.

Mimi  