public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric Paris <eparis@parisplace.org>,
	linux kernel mailing list <linux-kernel@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>
Subject: Re: IMA: How to manage user space signing policy with others
Date: Tue, 05 Mar 2013 15:40:18 -0500	[thread overview]
Message-ID: <1362516018.4392.233.camel@falcor1> (raw)
In-Reply-To: <20130305151829.GB4519@redhat.com>

On Tue, 2013-03-05 at 10:18 -0500, Vivek Goyal wrote:

> Can we do following. (Just modifying your proposal little bit).
> 
> - Implement a new policy say ima_mem_exec. This policy can vary based on
>   config options. This will be the default policy. 

Just to clarify, the default is the existing null policy.  When
'secureboot' is enabled, ima_mem_exec will be the default policy.

> - ima_mem_exec will be default policy and it can be disabled by passing
>   a command line option ima_mem_exec_disable.
> 
> - If user wants to use ima_apprase_tcb policy, they can pass two command
>   line option. (ima_mem_exec_disable  and ima_appraise_tcb).

Both aren't really needed.   Nothing changes for existing users, if
'ima_appraise_tcb' replaces the ima_mem_exec policy. 

> - Similary if user wants to put its own policy using "policy" interface,
>   they need to boot kernel with command line option "ima_mem_exec_disable".

Not a good idea, as this would be a new requirement for existing users.
Invert the logic.

> In the end, this is again "either A or B"  mechanism. Both ima_mem_exec
> and ima_appraise_tcb are not co-existing. Comand line option just enables
> choosing one over other.

Does this impact 'ima_tcb' or only 'ima_appraise_tcb'?

> The fact that we are able to replace ima_mem_exec policy using command
> line, binary loader will need a way to query IMA to find what's the
> current policy. If ima_mem_exec has been replaced, then binary loader
> will not memlock files and will not raise extra capability to binary. And
> this will disable kdump functionality on secureboot platforms. (Something
> which I don't like much).

Ok

thanks,

Mimi


  reply	other threads:[~2013-03-05 20:40 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-28 15:13 IMA: How to manage user space signing policy with others Vivek Goyal
2013-02-28 18:51 ` Vivek Goyal
2013-02-28 20:30   ` Mimi Zohar
2013-02-28 20:57     ` Vivek Goyal
2013-03-01  1:42       ` Mimi Zohar
2013-02-28 19:23 ` Mimi Zohar
2013-02-28 20:08   ` Vivek Goyal
2013-03-01  1:45     ` Mimi Zohar
2013-02-28 21:35   ` Vivek Goyal
2013-02-28 22:20     ` Eric Paris
2013-03-01  1:49       ` Mimi Zohar
2013-03-01 12:15         ` Mimi Zohar
2013-03-01 15:28           ` Vivek Goyal
2013-03-01 18:40             ` Vivek Goyal
2013-03-01 19:39               ` Mimi Zohar
2013-03-01 21:33                 ` Vivek Goyal
2013-03-03 21:42                   ` Mimi Zohar
2013-03-04 15:29                     ` Vivek Goyal
2013-03-04 17:46                       ` Vivek Goyal
2013-03-04 18:59                       ` Mimi Zohar
2013-03-04 19:15                         ` Vivek Goyal
2013-03-05  1:21                           ` Mimi Zohar
2013-03-05 15:18                             ` Vivek Goyal
2013-03-05 20:40                               ` Mimi Zohar [this message]
2013-03-05 21:53                                 ` Vivek Goyal
2013-03-06 15:42                                   ` Mimi Zohar
2013-03-06 23:55                                     ` Vivek Goyal
2013-03-07  1:39                                       ` Mimi Zohar
2013-03-07 14:36                                         ` Vivek Goyal
2013-03-07 15:40                                           ` Mimi Zohar
2013-03-07 15:53                                             ` Vivek Goyal
2013-03-07 17:53                                               ` Kasatkin, Dmitry
2013-03-07 21:56                                                 ` Vivek Goyal
2013-03-08  8:09                                                   ` Kasatkin, Dmitry
2013-03-08 15:40                                                     ` Vivek Goyal
2013-03-06 15:54                                 ` Vivek Goyal
2013-03-06 22:48                                   ` Mimi Zohar
2013-03-06 23:38                                     ` Vivek Goyal
2013-03-07 13:38                                       ` Mimi Zohar
2013-03-07 14:57                                         ` Vivek Goyal
2013-03-04 19:19                         ` Eric Paris
2013-03-04 21:47                     ` Vivek Goyal
2013-03-01  2:17     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1362516018.4392.233.camel@falcor1 \
    --to=zohar@linux.vnet.ibm.com \
    --cc=eparis@parisplace.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=vgoyal@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox