From: Vivek Goyal <vgoyal@redhat.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-security-module@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@intel.com>,
James Morris <jmorris@namei.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 1/4] ima: added policy support for 'security.ima' type
Date: Thu, 31 Jan 2013 13:41:44 -0500 [thread overview]
Message-ID: <20130131184144.GC2580@redhat.com> (raw)
In-Reply-To: <1359585759.816.127.camel@falcor1.watson.ibm.com>
On Wed, Jan 30, 2013 at 05:42:39PM -0500, Mimi Zohar wrote:
> On Wed, 2013-01-30 at 16:53 -0500, Vivek Goyal wrote:
> > On Tue, Jan 22, 2013 at 05:07:31PM -0500, Mimi Zohar wrote:
> >
> > [..]
> > > /* iint cache flags */
> > > +#define IMA_ACTION_FLAGS 0xff00
> > > #define IMA_DIGSIG 0x0100
> > > +#define IMA_DIGSIG_REQUIRED 0x0200
> >
> > Hi Mimi,
> >
> > IMA_DIGSIG_REQUIRED state does not really have to be stored in iint I guess.
> > This is needed only if we go on to appraise and then we want to make
> > sure digital signatures are present. Once appraisal is done, IMG_DIGSIG
> > will be set and saved in iint->flags but looks like we don't require
> > IMA_DIGSIG_REQUIRED to be saved.
> >
> > If yes, will it make sense to not save it in iint. There are still 8
> > bits left unused. We can mark these 8 bits for temporary flags like
> > IMA_DIGSIG_REQUIRED. If that works, I can use same space for defining
> > additional temporary flags like IMA_DIGSIG_SIGNED_ONLY to handle the
> > case of appraise_type=imasig,signed_only. That flag also does not have
> > to be persistent in iint.
>
> Interesting idea. My only concern would be that we're not leaving room
> for additional hooks (eg. firmware).
Ok. May be we can employ another 32bit variable and put both of them in
a structure to expand it, when firmware hooks come along.
Or I can do that right now, if you like it that way.
I need to move out non-persistent flags from iint flags, otherwise it
can happen that conflicting flag might be set from different hooks.
For example, say hypothetically there are too hooks.
appraise fowner=0 func=mmap appraise_type=imasig
appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_signed_only
Now this will lead to setting of both IMA_DISGIG_REQUIRED and
IMA_DIGSIG_SIGNED_ONLY in iint->flags and that does not mean much in
the context of iint.
So by keeping them temporary, these flags become kind of hook specific
and then two appraise hook don't conflict with each other.
Thanks
Vivek
next prev parent reply other threads:[~2013-01-31 18:41 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-22 22:07 [PATCH v2 0/4] ima: enforcing appraise type Mimi Zohar
2013-01-22 22:07 ` [PATCH v2 1/4] ima: added policy support for 'security.ima' type Mimi Zohar
2013-01-30 21:53 ` Vivek Goyal
2013-01-30 22:42 ` Mimi Zohar
2013-01-31 18:41 ` Vivek Goyal [this message]
2013-01-31 19:25 ` Mimi Zohar
2013-01-31 19:37 ` Vivek Goyal
2013-01-22 22:07 ` [PATCH v2 2/4] ima: increase iint flag size Mimi Zohar
2013-01-22 22:07 ` [PATCH v2 3/4] ima: per hook cache integrity appraisal status Mimi Zohar
2013-01-22 22:07 ` [PATCH v2 4/4] ima: differentiate appraise status only for hook specific rules Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130131184144.GC2580@redhat.com \
--to=vgoyal@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox