Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule for initramfs files

From: Seiji Munetoh
Date: Tue Jul 13 2010 - 18:08:31 EST

Next message: Marcelo Tosatti: "Re: [PATCH 3/4] KVM: MMU: track dirty page in speculative pathproperly"
Previous message: H. Peter Anvin: "Re: tip/master broken with x2apic and kexec"
In reply to: Mimi Zohar: "Re: [RFC][PATCH] ima: add default rule for initramfs files"
Next in thread: Seiji Munetoh: "Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule for initramfs files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 8, 2010 at 10:14 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> On Tue, 2010-07-06 at 17:08 +0200, Roberto Sassu wrote:
>> This patch modifies the default policy shipped with IMA, in order to avoid measurements
>> of files in the initial ramdisk. Those files can be measured early in the boot process
>> by the bootloader.
>> The patch applies to latest version of the mainline kernel 2.6.35-rc4.
>
> Yes, the initramfs measurements are therefore redundant, as they're
> already included in the initramfs measurement, but perhaps, as the
> number of initramfs is very limited and the individual file measurements
> supplies additional information, it wouldn't hurt to keep the individual
> file measurements as well. These measurements could potentially help in
> identifying initramfs changes.
>
> Would appreciate other opinions before accepting this change.

The hash value of the initramfs is unstable since it was generated
at the time of kernel installation.
So still I want to check the individual used file in initramfs.

regards,
--
Seiji

>
> thanks,
>
> Mimi
>
>> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxx>
>> ---
>> security/integrity/ima/ima_policy.c | 1 +
>> 1 files changed, 1 insertions(+), 0 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index aef8c0a..92d8d0e 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -64,6 +64,7 @@ static struct ima_measure_rule_entry default_rules[] = {
>> {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
>> {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
>> {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
>> + {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
>> {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
>> .flags = IMA_FUNC | IMA_MASK},
>> {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Linux-ima-user mailing list
> Linux-ima-user@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Marcelo Tosatti: "Re: [PATCH 3/4] KVM: MMU: track dirty page in speculative pathproperly"
Previous message: H. Peter Anvin: "Re: tip/master broken with x2apic and kexec"
In reply to: Mimi Zohar: "Re: [RFC][PATCH] ima: add default rule for initramfs files"
Next in thread: Seiji Munetoh: "Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule for initramfs files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]