Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp684255ybz;
        Wed, 15 Apr 2020 16:39:47 -0700 (PDT)
X-Google-Smtp-Source: APiQypKYnyxVgwmjnGIi/LhslhkqS+IvzbL4kXkPYTJPaIGTW4uXC6AfsqAjP8WOnxguufDsvbc2
X-Received: by 2002:a17:906:704b:: with SMTP id r11mr7037270ejj.80.1586993987791;
        Wed, 15 Apr 2020 16:39:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586993987; cv=none;
        d=google.com; s=arc-20160816;
        b=B9WX2RAukkyQdx5bJ9E5Qt/bpzN/AhvIKToZ0Orowd0BhH1nXDNLU4mdx/m/mnC+TI
         ofRnVAUDy7Qt8H1ymPOWJ+fo+WjEp/6oyg3yEIFboWdeIz8j1VZeO0PNMVAON+FokfIf
         ohWU5wPRWSMoZWoBfguT0lM8Zns/ndsaPNAEGj8UDx9Zf4FPIw4D744CouHDRrs6is+b
         AUwsfVjDrsSin+VADm3BoTqUj5x/3Lo5qogyKJ6dCE08E2vAWybAmDU5n+K/XDfx1HtR
         JgetaUUe0GDyX5Hqz/8PeE4nIE5hGNAAd7+Y2DddzLSTo6hGzxWLscximi+QdM4l80xG
         jAMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:references:cc:to
         :subject;
        bh=IW6qIUlWlvfHorP88rS5qVGJ8R7LQ1tWgMmUnNpOmco=;
        b=0XJ21PfNXm8atIv8mRn/pjtVwRuyzu26m8JRSgi5qhhRGNb8XtcivpDRL+e9NNYA98
         hiuXnh6Yf5Na5G0zRV3GvZYBUhuV7sJaLScjXnRxQxkdx3xQJtjorHlqmvwTaNIG2fUf
         24rsii42ClFNER0qKUfmZXwJLfFKxPYUtCXCLyuHgfS4ha46j9fem3XC/q7u1c5uIozJ
         eGXPKO6FDpXrnbP4ijcomML7RbP6aGkUEFkUmMwVRSeyFVZIL5hCHnzKMWQP61z0r4sG
         vhctGnGhbUVYA99rf80PsyS90prrWPG07vZ89YDrNhyByL+xQi4+o+lmys1IZzCMBEJB
         xEVg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f17si10698487ejx.11.2020.04.15.16.39.24;
        Wed, 15 Apr 2020 16:39:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392992AbgDOCtp (ORCPT <rfc822;utfcpqpk@gmail.com> + 99 others);
        Tue, 14 Apr 2020 22:49:45 -0400
Received: from out30-132.freemail.mail.aliyun.com ([115.124.30.132]:47065 "EHLO
        out30-132.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1728305AbgDOCtl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Apr 2020 22:49:41 -0400
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R151e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e01422;MF=tianjia.zhang@linux.alibaba.com;NM=1;PH=DS;RN=9;SR=0;TI=SMTPD_---0Tva366D_1586918970;
Received: from 30.27.118.45(mailfrom:tianjia.zhang@linux.alibaba.com fp:SMTPD_---0Tva366D_1586918970)
          by smtp.aliyun-inc.com(127.0.0.1);
          Wed, 15 Apr 2020 10:49:30 +0800
Subject: Re: [PATCH 0/2] support to read and tune appraise mode in runtime
To:     Mimi Zohar <zohar@linux.ibm.com>, dmitry.kasatkin@gmail.com,
        jmorris@namei.org, serge@hallyn.com, zhangliguang@linux.alibaba.com
Cc:     linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com>
References: <20200409033907.102833-1-tianjia.zhang@linux.alibaba.com>
 <1586814958.7311.92.camel@linux.ibm.com>
 <a767d0e0-6c57-254a-3c95-f78026e80c1d@linux.alibaba.com>
 <1586871674.7311.189.camel@linux.ibm.com>
From:   Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Message-ID: <8afd9d82-b957-2be9-6132-411d28fa80dc@linux.alibaba.com>
Date:   Wed, 15 Apr 2020 10:49:30 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <1586871674.7311.189.camel@linux.ibm.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 2020/4/14 21:41, Mimi Zohar wrote:
> On Tue, 2020-04-14 at 11:36 +0800, Tianjia Zhang wrote:
>>
>> On 2020/4/14 5:55, Mimi Zohar wrote:
>>> On Thu, 2020-04-09 at 11:39 +0800, Tianjia Zhang wrote:
>>>> Support the read and write operations of ima_appraise by adding a
>>>> securifyfs file 'appraise_mode'.
>>>>
>>>> In order to tune appraise mode in runtime, writing a PKCS#7 signature
>>>> corresponding the signed content is required. The content should be off,
>>>> enforce, log or fix. Given a simple way to archive this:
>>>>
>>>> $ echo -n off > mode
>>>> $ openssl smime -sign -nocerts -noattr -binary \
>>>>       -in mode -inkey <system_trusted_key> \
>>>>       -signer <cert> -outform der -out mode.p7s
>>>> $ sudo cat mode.p7s \
>>>>       > /sys/kernel/security/ima/appraise_mode
>>>>
>>>> Note that the signing key must be a trust key located in
>>>> system trusted keyring. So even the root privilege cannot
>>>> simply disable the enforcement.
>>>
>>> There are major problems with disabling IMA appraisal.  This patch set
>>> proposes disabling IMA appraisal without even providing the motivation
>>> for such support.
>>>
>>> A lot of effort went into preventing custom IMA policies from
>>> disabling appraising the kexec or kernel module signatures.  In
>>> addition, the "lockdown" patch set was upstreamed permitting IMA
>>> signature verification.  This patch set would break both of these
>>> features.
>>>
>>> IMA relies on its own keyring for verifying file signatures, not the
>>> builtin or secondary trusted kernel keyrings.
>>>
>>> Two methods already exist - xattr and appended signatures - for
>>> verifying file signatures.  This patch set assumes creating and
>>> signing a file, which is then written to a securityfs file.  Like for
>>> loading a custom IMA policy, instead of cat'ing the file, write the
>>> pathname to the securityfs file.
>>>
>>> If you must define a new IMA method for verifying file signatures,
>>> then it needs to be generic and added to ima_appraise_measurement().
>>>    (Refer to the new IMA appended signature support.)
>>>
>>> Mimi
>>>
>>>>
>>>> Tianjia Zhang (2):
>>>>     ima: support to read appraise mode
>>>>     ima: support to tune appraise mode in runtime
>>>>
>>>>    security/integrity/ima/ima_fs.c | 134 +++++++++++++++++++++++++++++++-
>>>>    1 file changed, 133 insertions(+), 1 deletion(-)
>>>>
>>
>> Thanks for your suggestion, the way to close the appraise mode here is
>> indeed a bit rude, I will reconsider again according to your suggestions.
>>
>> In addition, [PATCH 1/2] ima: support to read appraise mode, by the way,
>> see if this patch is acceptable.
> 
> My comments were not meant as suggestions, but as an explanation as to
> how IMA works.  More details follow.
> 
> IMA is based on policy.  That decision was made a long time ago.  It
> allowed distros to configure IMA, allowing customers to experiment
> with it.  You have one opportunity to totally change the boot time
> policy rules, by loading a custom policy.  After that, rules may only
> be added.
> 
> There is no valid reason for "turning off" the policy once it has been
> enabled.  It breaks existing expectations.
> 
> Mimi
> 

Thank you very much for your explanation. I'm sorry I may not have 
stated clearly. I didn't have to change the working mode of IMA. I was 
convinced by you to give up the idea of "turn off" the appraise. 
However, it should be possible to support appraise mode reading. Right?