From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Joshua Brindle <method@manicmethod.com>,
selinux@tycho.nsa.gov, zohar@us.ibm.com, safford@watson.ibm.com,
sailer@us.ibm.com
Subject: Re: [RFC]integrity: SELinux patch
Date: Fri, 21 Sep 2007 10:02:39 -0400 [thread overview]
Message-ID: <1190383359.11091.26.camel@localhost.localdomain> (raw)
In-Reply-To: <1190293949.12553.23.camel@moss-spartans.epoch.ncsc.mil>
On Thu, 2007-09-20 at 09:12 -0400, Stephen Smalley wrote:
> In any event, I don't think we are really at the point of just cleaning
> up implementation nits in these integrity patches - I think there needs
> to be more discussion and work on the overall design, hook placement and
> coverage, how it will be used in practice, who would use it, etc. Which
> goes beyond just how it would be integrated with selinux. I haven't
> really seen a compelling argument and concept of operations so far. As
> a general concept, I can see potential value in integrity measurement
> (although lots of pitfalls too), but I'm not sure that this approach is
> going to yield that value.
>
> I had hoped that others more involved or interested in integrity
> measurement might have weighed in on the discussion (hint, hint).
We were just about to post the latest LIM patches as an RFC to LMKL. If
we can get a discussion going here first, that would be great. I will
repost the latest set of patches.
In terms of design, the integrity provider would be responsible for
maintaining file integrity information, which an LSM module could query
via the LIM integrity_verify_metadata/data() API. For now, we are
releasing an IMA-only integrity provider, which implements the LIM
integrity_measure() API. When integrity_measure() is called, IMA
submits the measurement (hash) of the file to the TPM chip, for
inclusion in one of the chip's Platform Configuration Registers (PCR).
IMA also keeps a list of all file names and hashes that have been
submitted to the TPM, which can be viewed through securityfs.
We have a number of enterprise customers who use the old LSM based IMA
(http://sourceforge.net/projects/linux-ima). They use it to monitor
file integrity and version level on large server farms. Their top two
requests have been to get IMA off of LSM, so that they can use it with
Selinux and AppArmor, and to get it upstream, so that it will be
supported. These customers are using just the measurement/attestation
portion of LIM. The verification of labels and data is more oriented to
enterprise verification of configuration of the labels, and to protect
clients and servers from off-line attacks.
This is a request for comments for updates to the LIM integrity
service framework, previously accepted into -mm, an IMA-only
integrity service provider, and a SELinux integrity patch.
Patch 1/4 integrity: LIM api, hooks, and dummy provider
Patch 2/4 integrity: IMA service provider
Patch 3/4 integrity: TPM internal kernel interface
Patch 4/4 integrity: SELinux LIM calls
Mimi Zohar
David Safford
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-09-21 14:02 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-28 22:35 [RFC]integrity: SELinux patch Mimi Zohar
2007-08-29 4:16 ` Joshua Brindle
2007-08-29 10:14 ` Mimi Zohar
2007-09-19 19:41 ` Mimi Zohar
2007-09-19 21:04 ` Stephen Smalley
2007-09-20 1:34 ` Mimi Zohar
2007-09-20 13:12 ` Stephen Smalley
2007-09-20 21:16 ` James Morris
2007-09-21 14:13 ` Mimi Zohar
2007-09-21 14:02 ` Mimi Zohar [this message]
2007-08-30 20:58 ` Serge E. Hallyn
2007-08-30 21:12 ` Serge E. Hallyn
2007-08-31 13:15 ` Mimi Zohar
-- strict thread matches above, loose matches on Subject: below --
2007-07-16 13:57 Mimi Zohar
2007-07-16 18:40 ` Joshua Brindle
2007-07-16 23:13 ` Mimi Zohar
2007-07-16 19:23 ` Paul Moore
2007-07-17 14:30 ` Mimi Zohar
2007-07-17 14:32 ` Paul Moore
2007-07-17 14:54 ` James Morris
2007-07-18 15:05 ` Steve G
2007-09-04 20:46 ` Mimi Zohar
2007-09-04 21:08 ` Steve Grubb
2007-07-17 0:20 ` James Morris
2007-07-17 13:20 ` Joshua Brindle
2007-07-17 14:44 ` James Morris
2007-07-18 21:33 ` Mimi Zohar
2007-07-17 14:52 ` Stephen Smalley
2007-07-18 21:43 ` Mimi Zohar
2007-07-19 13:08 ` Stephen Smalley
2007-07-20 18:57 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1190383359.11091.26.camel@localhost.localdomain \
--to=zohar@linux.vnet.ibm.com \
--cc=method@manicmethod.com \
--cc=safford@watson.ibm.com \
--cc=sailer@us.ibm.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.