Re: [PATCH 2/2] ima: Support appraise_type=imasig_optional

[Vivek Goyal]

On Thu, Feb 14, 2013 at 03:54:45PM -0500, Vivek Goyal wrote:
> On Thu, Feb 14, 2013 at 02:49:16PM -0500, Mimi Zohar wrote:
> 
> [..]
> > > > I think you're making this more complicated than it needs to be.  Allow
> > > > the execution unless the file failed signature verification.  The
> > > > additional capability is given only if the signature verification
> > > > succeeds.
> > > 
> > > I am just trying to bring it inline with module signature verification.
> > > There also module loading fails if signatures are present but kernel
> > > can't verify it.
> > 
> > A specific hook is defined for kernel module signature verification,
> > which is enabled/disabled in Kconfig.  When enabled, only signed modules
> > are loaded.  The kernel module hook does not verify the integrity of the
> > userspace application (eg. insmod, modprobe), but of the kernel module
> > being loaded.
> > 
> > Your original patches verified the integrity of the userspace
> > application kexec, not the image being loaded.  ima_bprm_check()
> > verifies the integrity of executables.  To permit both signed and
> > unsigned files to execute, we defined the 'optional' IMA policy flag,
> > with the intention of giving more capability to signed executables.
> > 
> > Unless we define a kexec specific hook for verifying kernel images, it's
> > not the same.
> 
> I think we are talking of two different things here.
> 
> I am referring to kernel module signing where signatures are appended
> to module (not IMA hook).
> 
> Also I am just referring to behavior about what happens if some error
> happens while signature verification.
> 
> - If signature verification fails, it is clear what to do.
> - If signature verification passes, it is clear what to do.
> - Grey area is, what happens if some error is encountered during signature
>   verification. Should the module loading be allowed/disallowed. Looking
>   at the module loading code, once it is determined that module has
>   signature appended to it, module loading fails if some error occurs
>   during signature verification.
> 
> So I am just referring to that fact and trying to draw parallels between
> error handling during module signature verification and error handling
> when file appraisal happens in IMA. 
> 
> There can be two options.
> 
> - Disallow execution only if signature verification fails. If some error
>   happens during verification, ignore it, let the executable continue.
>   Just that it does not get extra capability.
> 
> - Disallow execution only if executable is not signed or it has valid
>   signature. If executable is signed and some error happens during the
>   process of verifying signature, execution is denied.
> 

Little typo in second option. I meant "Allow execution only if executable
is not signed or it has valid signatures".

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/