[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies

Roberto Sassu roberto.sassu at polito.it
Tue Feb 21 02:05:46 PST 2012


On 02/20/2012 08:18 PM, Lennart Poettering wrote:
> On Mon, 20.02.12 20:06, Roberto Sassu (roberto.sassu at polito.it) wrote:
>
>>> We moved SELinux loading out of the initrd into systemd, in order to
>>> support fully featured initrd-less boots. I don't think we should reopen
>>> this problem set by having IMA in the initrd. I believe IMA should be
>>> treated pretty much exactly like SELinux here: the policy should be
>>> loaded from PID1 and it needs to be a compile time option, and it needs
>>> a kernel cmdline option to disable it (i.e. like selinux=0).
>>>
>>
>> If the SELinux module in dracut is to be considered definitively broken
>> probably also the IMA module should be removed, because it will not be
>> possible to load policies with LSM rules. But i don't know how this
>> feature can be supported by distributions without Systemd installed.
>
> Well, if the rumours I keep hearing are true Ubuntu might join the
> systemd camp too after their LTS release. Maybe the supporting
> non-systemd systems issues solves itself by that for you?
>

The code for loading IMA custom policies was placed in the initial
ramdisk with the purpose to avoid distribution specific dependencies.
However, since the SELinux initialization has been moved to Systemd
and Systemd itself will be used by the major distributions, i think
placing the IMA code here is the best solution, even if it is not the
most general.


>> Regarding the kernel option, actually there is no a specific parameter
>> to disable IMA. However, it can be introduced in the patches proposed
>> by Mimi Zohar about the 'ima-appraisal' feature. This can allow to
>> disable IMA or to put it in permissive/enforce mode as it happens for
>> example in SELinux.
>
> Whether there is a kernel option to enable/disable IMA will not stop
> these patches from getting into systemd. But I am quite sure they will
> stop IMA from getting any wider coverage in the mainstream distributions
> (if you care for that).
>

Actually, IMA doesn't take any action if the policy is not provided
nor it consumes additional system resources. Further, in the current
implementation, even if IMA measures files it does not return any error
to the system call being executed.


> Oh, and one more thing: it matters to me that this doesn't break my
> build. So it needs to allow me booting when enabled in configure, but
> without any IMA policy around.
>

Ok. this should be not a problem because all errors (IMA support not
included in the kernel, policy file access denied, ...) are ignored
except for the mmap() failure.

Thanks

Roberto Sassu


> Lennart
>



More information about the systemd-devel mailing list