Linux Integrity Measurement development
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Enrico Bravi <enrico.bravi@polito.it>,
	linux-integrity@vger.kernel.org, dmitry.kasatkin@gmail.com,
	roberto.sassu@huawei.com
Cc: eric.snowberg@oracle.com
Subject: Re: [RFC][PATCH] ima: add measurement for first unverified write on ima policy file
Date: Tue, 25 Feb 2025 20:53:27 -0500	[thread overview]
Message-ID: <ecc4630b5e3161736aa1e32f037facb9123025fc.camel@linux.ibm.com> (raw)
In-Reply-To: <20250225131255.154826-1-enrico.bravi@polito.it>

On Tue, 2025-02-25 at 14:12 +0100, Enrico Bravi wrote:
> The first write on the ima policy file permits to override the default
> policy defined with the ima_policy= boot parameter. This can be done
> by adding the /etc/ima/ima-policy which allows loading the custom policy
> during boot. It is also possible to load custom policy at runtime through
> file operations:
> 
> cp custom_ima_policy /sys/kernel/security/ima/policy
> cat custom_ima_policy > /sys/kernel/security/ima/policy
> 
> or by writing the absolute path of the file containing the custom policy:
> 
> echo /path/of/custom_ima_policy > /sys/kernel/security/ima/policy
> 
> In these cases, file signature can be necessary to load the policy
> (func=POLICY_CHECK). Custom policy can also be set at runtime by directly
> writing the policy stream on the ima policy file:
> 
> echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
>  	"audit func=BPRM_CHECK mask=MAY_EXEC\n" \
>      > /sys/kernel/security/ima/policy
> 
> In this case, there is no mechanism to verify the integrity of the new
> policy.
> 
> Add a new entry in the ima measurements list containing the ascii custom
> ima policy buffer when not verified at load time.
> 
> Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>

Hi Enrico,

This patch set hard codes measuring the initial custom IMA policy rules that
replace the builtin policies specified on the boot command line.  IMA shouldn't
hard code policy.  I'm not quite sure why you're differentiating between
measuring the initial and subsequent custom IMA policy rules.  Consider defining
a new critical-data record to measure the current IMA policy rules.  Also
consider including the new critical-data rule in the arch specific policy rules.

thanks,

Mimi


  reply	other threads:[~2025-02-26  1:53 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-25 13:12 [RFC][PATCH] ima: add measurement for first unverified write on ima policy file Enrico Bravi
2025-02-26  1:53 ` Mimi Zohar [this message]
2025-02-26 22:53   ` Enrico  Bravi
2025-02-27  3:05     ` Mimi Zohar
2025-02-27 11:36       ` Enrico  Bravi
2025-02-27 14:49         ` Roberto Sassu
2025-03-03 10:26           ` Enrico  Bravi
2025-03-05  8:59             ` Roberto Sassu
2025-03-06  8:20               ` Enrico  Bravi
2025-03-06  8:47                 ` Roberto Sassu
2025-03-06 14:22                   ` Enrico  Bravi
2025-12-16 16:56 ` [RFC][PATCH v2 0/2] ima: measure write on securityfs " Enrico Bravi
2025-12-16 16:56 ` [RFC][PATCH v2 1/2] ima: measure loaded policy after " Enrico Bravi
2025-12-19 19:13   ` Mimi Zohar
2026-01-03 15:18     ` Enrico  Bravi
2025-12-16 16:56 ` [RFC][PATCH v2 2/2] ima: measure buffer sent to " Enrico Bravi
2025-12-22 14:01   ` Mimi Zohar
2026-01-03 15:21     ` Enrico  Bravi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ecc4630b5e3161736aa1e32f037facb9123025fc.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=enrico.bravi@polito.it \
    --cc=eric.snowberg@oracle.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=roberto.sassu@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox