[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies
Mimi Zohar
zohar at linux.vnet.ibm.com
Tue Feb 21 04:25:05 PST 2012
On Mon, 2012-02-20 at 20:18 +0100, Lennart Poettering wrote:
> On Mon, 20.02.12 20:06, Roberto Sassu (roberto.sassu at polito.it) wrote:
>
> > >We moved SELinux loading out of the initrd into systemd, in order to
> > >support fully featured initrd-less boots. I don't think we should reopen
> > >this problem set by having IMA in the initrd. I believe IMA should be
> > >treated pretty much exactly like SELinux here: the policy should be
> > >loaded from PID1 and it needs to be a compile time option, and it needs
> > >a kernel cmdline option to disable it (i.e. like selinux=0).
> > >
> >
> > If the SELinux module in dracut is to be considered definitively broken
> > probably also the IMA module should be removed, because it will not be
> > possible to load policies with LSM rules. But i don't know how this
> > feature can be supported by distributions without Systemd installed.
>
> Well, if the rumours I keep hearing are true Ubuntu might join the
> systemd camp too after their LTS release. Maybe the supporting
> non-systemd systems issues solves itself by that for you?
>
> > Regarding the kernel option, actually there is no a specific parameter
> > to disable IMA. However, it can be introduced in the patches proposed
> > by Mimi Zohar about the 'ima-appraisal' feature. This can allow to
> > disable IMA or to put it in permissive/enforce mode as it happens for
> > example in SELinux.
>
> Whether there is a kernel option to enable/disable IMA will not stop
> these patches from getting into systemd. But I am quite sure they will
> stop IMA from getting any wider coverage in the mainstream distributions
> (if you care for that).
Really? The original IMA patch set defined CONFIG_IMA_BOOTPARAM and
CONFIG_IMA_BOOTPARAM_VALUE, but based on the lkml discussion, I removed
support for them. (May 2008)
In lieu of a switch to enable/disable IMA, the default measurement
policy is null, so that nothing is measured, unless 'ima_tcb' is
provided on the boot command line.
> Oh, and one more thing: it matters to me that this doesn't break my
> build. So it needs to allow me booting when enabled in configure, but
> without any IMA policy around.
>
> Lennart
Of course IMA should work with/without updating the measurement policy.
thanks,
Mimi
More information about the systemd-devel
mailing list