This patch modifies the default policy shipped with IMA, in order to avoid measurements
of files in the initial ramdisk. Those files can be measured early in the boot process
by the bootloader.
The patch applies to latest version of the mainline kernel 2.6.35-rc4.
Signed-off-by: Roberto Sassu <[email protected]>
---
security/integrity/ima/ima_policy.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index aef8c0a..92d8d0e 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -64,6 +64,7 @@ static struct ima_measure_rule_entry default_rules[] = {
{.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
{.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
{.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
{.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
--
1.7.1
On Tue, 2010-07-06 at 17:08 +0200, Roberto Sassu wrote:
> This patch modifies the default policy shipped with IMA, in order to avoid measurements
> of files in the initial ramdisk. Those files can be measured early in the boot process
> by the bootloader.
> The patch applies to latest version of the mainline kernel 2.6.35-rc4.
Yes, the initramfs measurements are therefore redundant, as they're
already included in the initramfs measurement, but perhaps, as the
number of initramfs is very limited and the individual file measurements
supplies additional information, it wouldn't hurt to keep the individual
file measurements as well. These measurements could potentially help in
identifying initramfs changes.
Would appreciate other opinions before accepting this change.
thanks,
Mimi
> Signed-off-by: Roberto Sassu <[email protected]>
> ---
> security/integrity/ima/ima_policy.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index aef8c0a..92d8d0e 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -64,6 +64,7 @@ static struct ima_measure_rule_entry default_rules[] = {
> {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
> {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
> {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
> + {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
> {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
> .flags = IMA_FUNC | IMA_MASK},
> {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
On Thu, Jul 8, 2010 at 10:14 PM, Mimi Zohar <[email protected]> wrote:
> On Tue, 2010-07-06 at 17:08 +0200, Roberto Sassu wrote:
>> This patch modifies the default policy shipped with IMA, in order to avoid measurements
>> of files in the initial ramdisk. Those files can be measured early in the boot process
>> by the bootloader.
>> The patch applies to latest version of the mainline kernel 2.6.35-rc4.
>
> Yes, the initramfs measurements are therefore redundant, as they're
> already included in the initramfs measurement, but perhaps, as the
> number of initramfs is very limited and the individual file measurements
> supplies additional information, it wouldn't hurt to keep the individual
> file measurements as well. ?These measurements could potentially help in
> identifying initramfs changes.
>
> Would appreciate other opinions before accepting this change.
The hash value of the initramfs is unstable since it was generated
at the time of kernel installation.
So still I want to check the individual used file in initramfs.
regards,
--
Seiji
>
> thanks,
>
> Mimi
>
>> Signed-off-by: Roberto Sassu <[email protected]>
>> ---
>> ?security/integrity/ima/ima_policy.c | ? ?1 +
>> ?1 files changed, 1 insertions(+), 0 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index aef8c0a..92d8d0e 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -64,6 +64,7 @@ static struct ima_measure_rule_entry default_rules[] = {
>> ? ? ? {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
>> ? ? ? {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
>> ? ? ? {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
>> + ? ? {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
>> ? ? ? {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
>> ? ? ? ?.flags = IMA_FUNC | IMA_MASK},
>> ? ? ? {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Linux-ima-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>