Re: [PATCH] IMA: do not measure everything opened by root bydefault

From: Mimi Zohar
Date: Tue May 12 2009 - 17:18:44 EST

Next message: Alexander Y. Fomichev: "jsm: two or more 4/8-port boards can not initialize ports properly"
Previous message: Thomas Gleixner: "Re: [PATCH 0/2] itimers: periodic timers fixes"
In reply to: Eric Paris: "[PATCH] IMA: do not measure everything opened by root by default"
Next in thread: Eric Paris: "Re: [PATCH] IMA: do not measure everything opened by root bydefault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2009-05-12 at 15:14 -0400, Eric Paris wrote:
> The IMA default policy measures every single file opened by root. This is
> terrible for most users. Consider a system (like mine) with virtual machine
> images. When those images are touched (which happens at boot for me) those
> images are measured. This is just way too much for the default case.
>
> Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>

The question of what to measure is a major issue. If you measure too
much, performance is affected, but if you measure too little, then the
measurement list will not contain everything that could affect the
Trusted Computing Base(TCB), such as configuration files and scripts.

The solution is not to remove the rule that measures everything read
by root, but to replace the default IMA configuration file with an LSM
specific one, which should be done early in the etc init scripts or
initrd. LTP contains a sample script to replace the default IMA policy
(testcases/kernel/security/integrity/ima/tests/ima_policy.sh).

The following SELinux integrity rule, prevents /var/log/messages from
being measured. (Dependent on "integrity: lsm audit rule matching fix"
patch in the security-testing tree.)

dont_measure func=PATH_CHECK mask=MAY_READ obj_type=var_log_t

By defining an equivalent SELinux integrity rule for each virtual
machine image type, the virtual machine images will not be measured.
This is far better than not measuring everything in the TCB.

Mimi Zohar

> ---
>
> security/integrity/ima/ima_policy.c | 2 --
> 1 files changed, 0 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index b168c1d..dec6dcb 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -61,8 +61,6 @@ static struct ima_measure_rule_entry default_rules[] = {
> .flags = IMA_FUNC | IMA_MASK},
> {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
> .flags = IMA_FUNC | IMA_MASK},
> - {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
> - .flags = IMA_FUNC | IMA_MASK | IMA_UID}
> };
>
> static LIST_HEAD(measure_default_rules);
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexander Y. Fomichev: "jsm: two or more 4/8-port boards can not initialize ports properly"
Previous message: Thomas Gleixner: "Re: [PATCH 0/2] itimers: periodic timers fixes"
In reply to: Eric Paris: "[PATCH] IMA: do not measure everything opened by root by default"
Next in thread: Eric Paris: "Re: [PATCH] IMA: do not measure everything opened by root bydefault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]