All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric Paris <eparis@parisplace.org>,
	linux kernel mailing list <linux-kernel@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>
Subject: Re: IMA: How to manage user space signing policy with others
Date: Tue, 05 Mar 2013 15:40:18 -0500	[thread overview]
Message-ID: <1362516018.4392.233.camel@falcor1> (raw)
In-Reply-To: <20130305151829.GB4519@redhat.com>

On Tue, 2013-03-05 at 10:18 -0500, Vivek Goyal wrote:

> Can we do following. (Just modifying your proposal little bit).
> 
> - Implement a new policy say ima_mem_exec. This policy can vary based on
>   config options. This will be the default policy. 

Just to clarify, the default is the existing null policy.  When
'secureboot' is enabled, ima_mem_exec will be the default policy.

> - ima_mem_exec will be default policy and it can be disabled by passing
>   a command line option ima_mem_exec_disable.
> 
> - If user wants to use ima_apprase_tcb policy, they can pass two command
>   line option. (ima_mem_exec_disable  and ima_appraise_tcb).

Both aren't really needed.   Nothing changes for existing users, if
'ima_appraise_tcb' replaces the ima_mem_exec policy. 

> - Similary if user wants to put its own policy using "policy" interface,
>   they need to boot kernel with command line option "ima_mem_exec_disable".

Not a good idea, as this would be a new requirement for existing users.
Invert the logic.

> In the end, this is again "either A or B"  mechanism. Both ima_mem_exec
> and ima_appraise_tcb are not co-existing. Comand line option just enables
> choosing one over other.

Does this impact 'ima_tcb' or only 'ima_appraise_tcb'?

> The fact that we are able to replace ima_mem_exec policy using command
> line, binary loader will need a way to query IMA to find what's the
> current policy. If ima_mem_exec has been replaced, then binary loader
> will not memlock files and will not raise extra capability to binary. And
> this will disable kdump functionality on secureboot platforms. (Something
> which I don't like much).

Ok

thanks,

Mimi


  reply	other threads:[~2013-03-05 20:40 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-28 15:13 IMA: How to manage user space signing policy with others Vivek Goyal
2013-02-28 18:51 ` Vivek Goyal
2013-02-28 20:30   ` Mimi Zohar
2013-02-28 20:57     ` Vivek Goyal
2013-03-01  1:42       ` Mimi Zohar
2013-02-28 19:23 ` Mimi Zohar
2013-02-28 20:08   ` Vivek Goyal
2013-03-01  1:45     ` Mimi Zohar
2013-02-28 21:35   ` Vivek Goyal
2013-02-28 22:20     ` Eric Paris
2013-03-01  1:49       ` Mimi Zohar
2013-03-01 12:15         ` Mimi Zohar
2013-03-01 15:28           ` Vivek Goyal
2013-03-01 18:40             ` Vivek Goyal
2013-03-01 19:39               ` Mimi Zohar
2013-03-01 21:33                 ` Vivek Goyal
2013-03-03 21:42                   ` Mimi Zohar
2013-03-04 15:29                     ` Vivek Goyal
2013-03-04 17:46                       ` Vivek Goyal
2013-03-04 18:59                       ` Mimi Zohar
2013-03-04 19:15                         ` Vivek Goyal
2013-03-05  1:21                           ` Mimi Zohar
2013-03-05 15:18                             ` Vivek Goyal
2013-03-05 20:40                               ` Mimi Zohar [this message]
2013-03-05 21:53                                 ` Vivek Goyal
2013-03-06 15:42                                   ` Mimi Zohar
2013-03-06 23:55                                     ` Vivek Goyal
2013-03-07  1:39                                       ` Mimi Zohar
2013-03-07 14:36                                         ` Vivek Goyal
2013-03-07 15:40                                           ` Mimi Zohar
2013-03-07 15:53                                             ` Vivek Goyal
2013-03-07 17:53                                               ` Kasatkin, Dmitry
2013-03-07 21:56                                                 ` Vivek Goyal
2013-03-08  8:09                                                   ` Kasatkin, Dmitry
2013-03-08 15:40                                                     ` Vivek Goyal
2013-03-06 15:54                                 ` Vivek Goyal
2013-03-06 22:48                                   ` Mimi Zohar
2013-03-06 23:38                                     ` Vivek Goyal
2013-03-07 13:38                                       ` Mimi Zohar
2013-03-07 14:57                                         ` Vivek Goyal
2013-03-04 19:19                         ` Eric Paris
2013-03-04 21:47                     ` Vivek Goyal
2013-03-01  2:17     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1362516018.4392.233.camel@falcor1 \
    --to=zohar@linux.vnet.ibm.com \
    --cc=eparis@parisplace.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=vgoyal@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.