Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Roberto Sassu <roberto.sassu@polito.it>]

On 02/21/2012 02:01 PM, Mimi Zohar wrote:
> On Tue, 2012-02-21 at 11:05 +0100, Roberto Sassu wrote:
>
>> Ok. this should be not a problem because all errors (IMA support not
>> included in the kernel, policy file access denied, ...) are ignored
>> except for the mmap() failure.
>
> Hi Roberto, IMA should never return an error, only IMA-appraisal should
> enforce file integrity.  Can you please show me or send a patch?
>

Hi Mimi

do you intend a patch to reintroduce the 'ima=' kernel parameter for
enabling/disabling IMA? If so, i have not actually thought about this
but it should be not difficult to implement. Probably we can support
these modes:

- disabled: IMA returns immediately to the system call;
- measure_only: IMA performs only measurements and does not return any
   error to the system call;
- appraise_permissive: IMA stores measurements in the files extended
   attribute and in the measurements list but does not return any error
   to the system call even if the integrity check fails;
- appraise_enforce: IMA does the same as the previous mode but returns
   an error to the system call if the integrity check fails.

Further, we can have a simple user-space package which will contain the
documentation about how to write a policy (so that it will be more
easy to find in respect to the whole kernel documentation) and a tool
that will fix/verify the measurements stored in the files extended
attribute.

Having a separate user-space package will simplify the interaction for
users with the IMA kernel-space portion and will allow to determine
whether the IMA support should be enabled in Systemd.

Thanks

Roberto Sassu


> thanks,
>
> Mimi
>