Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5996669yba; Mon, 13 May 2019 23:08:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqwMn7ZeNiFMqZsah6kOvlNzUYglBqcNImD0MGT+iYK1U9GXvGjiWkhksbPmWaTJuCMa3Lkw X-Received: by 2002:a63:8342:: with SMTP id h63mr37038084pge.251.1557814107054; Mon, 13 May 2019 23:08:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557814107; cv=none; d=google.com; s=arc-20160816; b=kkqNi8S+YGXVp9mnI3qjv9xhI0ijtBDbtamXDHKzO2sWImg4qyEJeMk4b0QjPa4zW3 lSMc+ZYLFJQ+hOud3qiQeiUpjkpOnBA4JKpuYP7KlOH5ZLjZ0CjQppkLOlMwFLxS5msq 65FyPTO28Lr813pCNSJsp1d8BEVtfEwDGZX+vdcaggMJhHFoyMvxqk71FUZ1G+vXbYRM /oc4S6s0sf0+LtE6Mau/S+Mmrw0gGDml4SygiraDWQxd1rYq9AR5qv6YzGA1hkKbV6MQ +Y4IYPugKu5P5ZWigfb5c3fFb14ktDgR6gMvP67zWQg00nnGukLkuVlo/jUTcdfpa8rX Zlxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=PXt1KR8uTPyJUn4Yxy2apR4YARPk5L8lEm2vMkzJPBM=; b=P22KZwTUL60DKJ3H+8z+FEzwVIcxtXaW2OzouIF6yk6bWbqLdzO0P3dFd2A3VLfD/x xTMsT52KSNlEuRWXC2iWVk8JaL2g0NBagQNXvELuHI99DfDHcS2/I9YtZajoRD/gEswE n9BJijoPi9okWXvpV1CdpVOayMErSuuMSwRLNEhPwBdoB8L1bnVSmNrXYQXDwv3b42nP wbPcQhe+X3BoUMnk+gFi86WGU7TYJl23xTyWEqSE+cIEeJXxbGAff1ZhQMePXLF3Z4Ka OJ4OLsNBV0IBppoY2gGytRVoFM5KfZMdHSjbCdumdjbq9Jbq8ORWy9czQeWbiZOQwtX6 Evzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@landley-net.20150623.gappssmtp.com header.s=20150623 header.b=e91q8D7a; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z11si17874971pgv.265.2019.05.13.23.08.10; Mon, 13 May 2019 23:08:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@landley-net.20150623.gappssmtp.com header.s=20150623 header.b=e91q8D7a; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726200AbfENGGN (ORCPT + 99 others); Tue, 14 May 2019 02:06:13 -0400 Received: from mail-ot1-f66.google.com ([209.85.210.66]:42625 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725892AbfENGGN (ORCPT ); Tue, 14 May 2019 02:06:13 -0400 Received: by mail-ot1-f66.google.com with SMTP id f23so14113212otl.9 for ; Mon, 13 May 2019 23:06:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=landley-net.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=PXt1KR8uTPyJUn4Yxy2apR4YARPk5L8lEm2vMkzJPBM=; b=e91q8D7aFphaY4A6IL5QmEU/FViV57G/ehUkaEkFrK1dcpjq0tV/orbAlirGH4/L0V HiNO6aGwsRRgCXa9Hh5CgGQmS+70E/uhKmZPWtXXVpGjcYHJ2hDsl0yyTFjkgTK/xlmx PhNiLFgJYZJwyvVHfroFvFD0FW7PSkb2EPJ0qQW74bWCcU2i2RSPzx/nzo6/Od7NLPJ+ Ond0PKkr+1PCB1r5YvqNf3Nfocj1tasDuWueMZIbWi966AHRCkQ2utNMgUMZndXBy68H g+ssB7URZ3eeNsnjb5ZvI8b2btqbFB0jfNIfgT8YzZ7FAnbWztIJtQChnH90RVS4ob7n Uq+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=PXt1KR8uTPyJUn4Yxy2apR4YARPk5L8lEm2vMkzJPBM=; b=ZAODWYD+8m8l017cewFaLrrldWxkGVEWU0pHkYUO1NGDd9HHIivKRWUy1LMItepPu5 SZju1mNYXQgKkZCGpxLeQIpsjqupvfKFYqLVF/fMicqISVTUvkzkrnuhSc1dy3Lip7Ca JZ1hhLBJTC5OMNHTIdPUvibiXYFMmM7OY9a38HQbe+AJADlj/7nvJbymg5R4FHu7MGoc PeQyZAQ6p1NFItCcGshm2HXijml54lLBA3sBMABc7rlwlqQUksxHcCe+5QJWGI5dAVp9 VzdyeA5wOQ3mqennnM+5an57V7CzeX02clqWjxD8cocMNMY4npmXl1g7CcFRhzk7nFxN jtOw== X-Gm-Message-State: APjAAAUkCbK3LniyZwyRMh+DLgwFdJdUNS8omd5DPWl2DF6ouqw4/Mn6 66NdqWq1nqZxw9PqUOOo4FJqZw== X-Received: by 2002:a9d:638f:: with SMTP id w15mr7650121otk.16.1557813972655; Mon, 13 May 2019 23:06:12 -0700 (PDT) Received: from [192.168.1.5] (072-182-052-210.res.spectrum.com. [72.182.52.210]) by smtp.googlemail.com with ESMTPSA id a1sm6771206oiy.38.2019.05.13.23.06.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 May 2019 23:06:12 -0700 (PDT) Subject: Re: [PATCH v2 0/3] initramfs: add support for xattrs in the initial ram disk To: Mimi Zohar , Arvind Sankar Cc: Arvind Sankar , Roberto Sassu , linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, initramfs@vger.kernel.org References: <20190512194322.GA71658@rani.riverdale.lan> <3fe0e74b-19ca-6081-3afe-e05921b1bfe6@huawei.com> <4f522e28-29c8-5930-5d90-e0086b503613@landley.net> <20190513172007.GA69717@rani.riverdale.lan> <20190513175250.GC69717@rani.riverdale.lan> <1557772584.4969.62.camel@linux.ibm.com> <20190513184744.GA12386@rani.riverdale.lan> <1557785351.4969.94.camel@linux.ibm.com> From: Rob Landley Message-ID: <66b57ae5-bb5a-c008-8490-2c90e050fc65@landley.net> Date: Tue, 14 May 2019 01:06:45 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <1557785351.4969.94.camel@linux.ibm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/13/19 5:09 PM, Mimi Zohar wrote: >> Ok, but wouldn't my idea still work? Leave the default compiled-in >> policy set to not appraise initramfs. The embedded /init sets all the >> xattrs, changes the policy to appraise tmpfs, and then exec's the real >> init? Then everything except the embedded /init and the file with the >> xattrs will be appraised, and the embedded /init was verified as part of >> the kernel image signature. The only additional kernel change needed >> then is to add a config option to the kernel to disallow overwriting the >> embedded initramfs (or at least the embedded /init). > > Yes and no.  The current IMA design allows a builtin policy to be > specified on the boot command line ("ima_policy="), so that it exists > from boot, and allows it to be replaced once with a custom policy. >  After that, assuming that CONFIG_IMA_WRITE_POLICY is configured, > additional rules may be appended.  As your embedded /init solution > already replaces the builtin policy, the IMA policy couldn't currently > be replaced a second time with a custom policy based on LSM labels. So your design assumption you're changing other code to work around in that instance is the policy can only be replaced once rather than having a "finalize" option when it's set, making it immutable from then on. Rob