Re: IMA: How to manage user space signing policy with others

[Vivek Goyal <vgoyal@redhat.com>]

On Fri, Mar 08, 2013 at 10:09:48AM +0200, Kasatkin, Dmitry wrote:

[..]
> > - File could have invalid signature still iint->DIGSIG could be set and
> >   security hook will return success.
> >         - Assume system has booted with ima_appraise_tcb policy.
> >         - A binary executes. bprm_check() is called and it will
> >           set iint->DIGSIG.
> >         - User goes ahead and replaces appraise policy with some
> >           other policy so no appraisal rule will match for same file.
> 
> Policy can only be replaced once. So if policy has been initialized at
> early-user-space,
> then it cannot be replaced...

Sure, but early user space does not have to initialize the "policy",
isn't. Atleast currently kernel can not enforce it. So root always
can decide to load the policy some time late. assume ima_appraise_tcb is
enabled at kernel command line.

Given that in secureboot environment we are not trusting root, it atleast
gives root a way to deceive IMA due to caching.
 
[..]
> > In summary, we can still solve the problem we can do few things.
> >
> > - Provide a reliable way to disable caching of iint->DIGSIG, digest
> >   and appraisal results.
> >
> > - Provide functions to access iint->DIGSIG after every file execution.

Actually if we have to disbale caching to make it work reliably, then
means we are not storing iint->DIGSIG and that means we can't access it
later with a helper function. So status of iint->DIGSIG has to be returned
with the hook itself and current security hooks don't have any extra
fields to do that.

Thanks
Vivek