From: "Serge E. Hallyn" <serge@hallyn.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>,
"Serge E . Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH v3 3/4] ima: fail signature verification based on policy
Date: Mon, 12 Mar 2018 14:28:06 -0500 [thread overview]
Message-ID: <20180312192806.GD29878@mail.hallyn.com> (raw)
In-Reply-To: <1520540650-7451-4-git-send-email-zohar@linux.vnet.ibm.com>
Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> This patch addresses the fuse privileged mounted filesystems in
> environments which are unwilling to accept the risk of trusting the
> signature verification and want to always fail safe, but are for example
> using a pre-built kernel.
>
> This patch defines a new builtin policy named "fail_securely", which can
> be specified on the boot command line as an argument to "ima_policy=".
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Miklos Szeredi <miklos@szeredi.hu>
> Cc: Seth Forshee <seth.forshee@canonical.com>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> Cc: Dongsu Park <dongsu@kinvolk.io>
> Cc: Alban Crequy <alban@kinvolk.io>
> Cc: Serge E. Hallyn <serge@hallyn.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
but,
>
> ---
> Changelog v3:
> - Rename the builtin policy name
>
> Changelog v2:
> - address the fail safe environement
>
> Documentation/admin-guide/kernel-parameters.txt | 8 +++++++-
> security/integrity/ima/ima_appraise.c | 11 ++++++-----
> security/integrity/ima/ima_main.c | 3 ++-
> security/integrity/ima/ima_policy.c | 5 +++++
> security/integrity/integrity.h | 1 +
> 5 files changed, 21 insertions(+), 7 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 1d1d53f85ddd..2cc17dc7ab84 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1525,7 +1525,8 @@
>
> ima_policy= [IMA]
> The builtin policies to load during IMA setup.
> - Format: "tcb | appraise_tcb | secure_boot"
> + Format: "tcb | appraise_tcb | secure_boot |
> + fail_securely"
>
> The "tcb" policy measures all programs exec'd, files
> mmap'd for exec, and all files opened with the read
> @@ -1540,6 +1541,11 @@
> of files (eg. kexec kernel image, kernel modules,
> firmware, policy, etc) based on file signatures.
>
> + The "fail_securely" policy forces file signature
> + verification failure also on privileged mounted
> + filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
> + flag.
> +
> ima_tcb [IMA] Deprecated. Use ima_policy= instead.
> Load a policy which meets the needs of the Trusted
> Computing Base. This means IMA will measure all
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 4bafb397ee91..3034935e1eb3 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -304,12 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func,
> out:
> /*
> * File signatures on some filesystems can not be properly verified.
> - * On these filesytems, that are mounted by an untrusted mounter,
> - * fail the file signature verification.
> + * On these filesytems, that are mounted by an untrusted mounter or
How about "When such filesystems are mounted by an untrusted mounter or
on a system not willing to accept such a risk, ..." ?
(also filesytems is misspelled :)
> + * for systems not willing to accept the risk, fail the file signature
> + * verification.
> */
WARNING: multiple messages have this Message-ID (diff)
From: serge@hallyn.com (Serge E. Hallyn)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v3 3/4] ima: fail signature verification based on policy
Date: Mon, 12 Mar 2018 14:28:06 -0500 [thread overview]
Message-ID: <20180312192806.GD29878@mail.hallyn.com> (raw)
In-Reply-To: <1520540650-7451-4-git-send-email-zohar@linux.vnet.ibm.com>
Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> This patch addresses the fuse privileged mounted filesystems in
> environments which are unwilling to accept the risk of trusting the
> signature verification and want to always fail safe, but are for example
> using a pre-built kernel.
>
> This patch defines a new builtin policy named "fail_securely", which can
> be specified on the boot command line as an argument to "ima_policy=".
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Miklos Szeredi <miklos@szeredi.hu>
> Cc: Seth Forshee <seth.forshee@canonical.com>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> Cc: Dongsu Park <dongsu@kinvolk.io>
> Cc: Alban Crequy <alban@kinvolk.io>
> Cc: Serge E. Hallyn <serge@hallyn.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
but,
>
> ---
> Changelog v3:
> - Rename the builtin policy name
>
> Changelog v2:
> - address the fail safe environement
>
> Documentation/admin-guide/kernel-parameters.txt | 8 +++++++-
> security/integrity/ima/ima_appraise.c | 11 ++++++-----
> security/integrity/ima/ima_main.c | 3 ++-
> security/integrity/ima/ima_policy.c | 5 +++++
> security/integrity/integrity.h | 1 +
> 5 files changed, 21 insertions(+), 7 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 1d1d53f85ddd..2cc17dc7ab84 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1525,7 +1525,8 @@
>
> ima_policy= [IMA]
> The builtin policies to load during IMA setup.
> - Format: "tcb | appraise_tcb | secure_boot"
> + Format: "tcb | appraise_tcb | secure_boot |
> + fail_securely"
>
> The "tcb" policy measures all programs exec'd, files
> mmap'd for exec, and all files opened with the read
> @@ -1540,6 +1541,11 @@
> of files (eg. kexec kernel image, kernel modules,
> firmware, policy, etc) based on file signatures.
>
> + The "fail_securely" policy forces file signature
> + verification failure also on privileged mounted
> + filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
> + flag.
> +
> ima_tcb [IMA] Deprecated. Use ima_policy= instead.
> Load a policy which meets the needs of the Trusted
> Computing Base. This means IMA will measure all
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 4bafb397ee91..3034935e1eb3 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -304,12 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func,
> out:
> /*
> * File signatures on some filesystems can not be properly verified.
> - * On these filesytems, that are mounted by an untrusted mounter,
> - * fail the file signature verification.
> + * On these filesytems, that are mounted by an untrusted mounter or
How about "When such filesystems are mounted by an untrusted mounter or
on a system not willing to accept such a risk, ..." ?
(also filesytems is misspelled :)
> + * for systems not willing to accept the risk, fail the file signature
> + * verification.
> */
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-03-12 19:28 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-08 20:24 [PATCH v3 0/4] unverifiable file signatures Mimi Zohar
2018-03-08 20:24 ` Mimi Zohar
2018-03-08 20:24 ` [PATCH v3 1/4] ima: fail file signature verification on non-init mounted filesystems Mimi Zohar
2018-03-08 20:24 ` Mimi Zohar
2018-03-12 19:17 ` Serge E. Hallyn
2018-03-12 19:17 ` Serge E. Hallyn
2018-03-12 19:26 ` Serge E. Hallyn
2018-03-12 19:26 ` Serge E. Hallyn
2018-03-13 18:45 ` Eric W. Biederman
2018-03-13 18:45 ` Eric W. Biederman
2018-03-08 20:24 ` [PATCH v3 2/4] ima: re-evaluate files on privileged " Mimi Zohar
2018-03-08 20:24 ` Mimi Zohar
2018-03-12 19:18 ` Serge E. Hallyn
2018-03-12 19:18 ` Serge E. Hallyn
2018-03-13 19:24 ` Eric W. Biederman
2018-03-13 19:24 ` Eric W. Biederman
2018-03-08 20:24 ` [PATCH v3 3/4] ima: fail signature verification based on policy Mimi Zohar
2018-03-08 20:24 ` Mimi Zohar
2018-03-12 19:28 ` Serge E. Hallyn [this message]
2018-03-12 19:28 ` Serge E. Hallyn
2018-03-12 19:32 ` Mimi Zohar
2018-03-12 19:32 ` Mimi Zohar
2018-03-13 19:31 ` Eric W. Biederman
2018-03-13 19:31 ` Eric W. Biederman
2018-03-08 20:24 ` [PATCH v3 4/4] fuse: define the filesystem as untrusted Mimi Zohar
2018-03-08 20:24 ` Mimi Zohar
2018-03-12 19:29 ` Serge E. Hallyn
2018-03-12 19:29 ` Serge E. Hallyn
2018-03-13 14:46 ` Stefan Berger
2018-03-13 14:46 ` Stefan Berger
2018-03-14 14:27 ` Serge E. Hallyn
2018-03-14 14:27 ` Serge E. Hallyn
2018-03-14 14:37 ` Stefan Berger
2018-03-14 14:37 ` Stefan Berger
2018-03-13 19:32 ` Eric W. Biederman
2018-03-13 19:32 ` Eric W. Biederman
2018-03-19 11:57 ` Mimi Zohar
2018-03-19 11:57 ` Mimi Zohar
2018-03-19 11:57 ` Mimi Zohar
2018-03-14 7:52 ` Stef Bon
2018-03-14 7:52 ` Stef Bon
2018-03-14 13:01 ` Mimi Zohar
2018-03-14 13:01 ` Mimi Zohar
2018-03-14 16:17 ` Eric W. Biederman
2018-03-14 16:17 ` Eric W. Biederman
2018-03-14 17:50 ` Mimi Zohar
2018-03-14 17:50 ` Mimi Zohar
2018-03-14 17:50 ` Mimi Zohar
2018-03-14 18:08 ` Chuck Lever
2018-03-14 18:08 ` Chuck Lever
2018-03-14 19:46 ` Eric W. Biederman
2018-03-14 19:46 ` Eric W. Biederman
2018-03-14 20:34 ` Chuck Lever
2018-03-14 20:34 ` Chuck Lever
2018-03-14 21:42 ` Eric W. Biederman
2018-03-14 21:42 ` Eric W. Biederman
2018-03-14 22:53 ` Michael Halcrow
2018-03-14 22:53 ` Michael Halcrow
2018-03-15 21:24 ` Mimi Zohar
2018-03-15 21:24 ` Mimi Zohar
2018-03-15 21:24 ` Mimi Zohar
2018-03-15 10:07 ` Stef Bon
2018-03-15 10:07 ` Stef Bon
2018-03-15 13:53 ` Chuck Lever
2018-03-15 13:53 ` Chuck Lever
2018-03-15 22:05 ` Mimi Zohar
2018-03-15 22:05 ` Mimi Zohar
2018-03-13 19:40 ` [PATCH v3 0/4] unverifiable file signatures Eric W. Biederman
2018-03-13 19:40 ` Eric W. Biederman
2018-03-13 20:40 ` Mimi Zohar
2018-03-13 20:40 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180312192806.GD29878@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=alban@kinvolk.io \
--cc=dongsu@kinvolk.io \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=seth.forshee@canonical.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.