From: Mimi Zohar <zohar@linux.ibm.com>
To: Kavitha Sivagnanam <kavi@juniper.net>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>
Subject: Re: Can we enforce "IMA Policy" based on file type
Date: Thu, 25 Apr 2019 07:58:49 -0400 [thread overview]
Message-ID: <1556193529.3894.94.camel@linux.ibm.com> (raw)
In-Reply-To: <BYAPR05MB39753CB3CA47513EEADC134CC1270@BYAPR05MB3975.namprd05.prod.outlook.com>
On Fri, 2019-04-19 at 21:52 +0000, Kavitha Sivagnanam wrote:
> Hi
>
> I am wondering, in the current implementation of IMA policy, if
> there is a way to enforce appraisal on a file based on the file
> type. The file type that I am interested in enforcing the policy is
> for SquashFS files.
>
> We want to check the signature on the SquashFS file itself before
> mounting it and mark the partition as read-only. This would allow us
> to have the flexibility of not signing every immutable file we are
> installing. Also the installation process will be faster as setting
> extended attribute on every file is extremely time consuming
> process. The signatures are generated at build time & we are using
> seftattr to set the security.ima attribute.
>
> Is it possible to achieve this with existing policy (or) we need
> enhancement to the current IMA code? If we need to enhance the
> kernel to support this feature, where would we start?
As Matthew indicated, you could define LSM labels on the squashfs file
images. Another option would be to extend IMA by implementing the LSM
security_sb_mount hook. The IMA policy rule would probably look
something like:
appraise func=MOUNT_CHECK fsname=squashfs appraise_type=imasig
Mimi
next prev parent reply other threads:[~2019-04-25 11:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-19 21:52 Can we enforce "IMA Policy" based on file type Kavitha Sivagnanam
2019-04-23 17:59 ` Matthew Garrett
2019-04-23 19:49 ` Kavitha Sivagnanam
2019-04-25 11:58 ` Mimi Zohar [this message]
2019-04-25 17:07 ` Kavitha Sivagnanam
2019-04-25 19:35 ` Nayna
2019-06-25 21:35 ` Kavitha Sivagnanam
2019-07-07 20:59 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1556193529.3894.94.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=kavi@juniper.net \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).