[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies
zohar at linux.vnet.ibm.com
Tue Feb 21 08:15:33 PST 2012
On Tue, 2012-02-21 at 14:58 +0100, Roberto Sassu wrote:
> Hi Mimi
> do you intend a patch to reintroduce the 'ima=' kernel parameter for
> enabling/disabling IMA? If so, i have not actually thought about this
> but it should be not difficult to implement. Probably we can support
> these modes:
I'm not sure. There was a lot of complaint way back when. Before
re-introducing it, I'd prefer to hear from others how they feel.
> - disabled: IMA returns immediately to the system call;
Today this is done by booting with a null policy.
> - measure_only: IMA performs only measurements and does not return any
> error to the system call;
Booting with a policy, will achieve this result.
> - appraise_permissive: IMA stores measurements in the files extended
> attribute and in the measurements list but does not return any error
> to the system call even if the integrity check fails;
IMA and IMA-appraisal are different features and should not be combined.
Currently, one can be enabled without the other. For example, some may
only want the measurement list, while others may only want integrity
> - appraise_enforce: IMA does the same as the previous mode but returns
> an error to the system call if the integrity check fails.
"ima_appraise= enabled | fix | off" are currently supported.
> Further, we can have a simple user-space package which will contain the
> documentation about how to write a policy (so that it will be more
> easy to find in respect to the whole kernel documentation) and a tool
> that will fix/verify the measurements stored in the files extended
> Having a separate user-space package will simplify the interaction for
> users with the IMA kernel-space portion and will allow to determine
> whether the IMA support should be enabled in Systemd.
Having a Systemd config file wouldn't change the need for the existing
boot command line options. None of them can or should go away, since
IMA must start measuring before any files are accessed, including the
config and policy files, otherwise the chain of trust would be lost.
More information about the systemd-devel