Re: Fedora 34 Change: Signed RPM Contents (late System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 21, 2021 at 12:50 PM Zbigniew Jędrzejewski-Szmek
<zbyszek@xxxxxxxxx> wrote:
>
> On Wed, Jan 20, 2021 at 11:29:55PM -0000, Patrick  マルタインアンドレアス  Uiterwijk wrote:
> > > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> > >
> >
> > I'd like to point out that after many requests, I have updated the change page for this significantly, with more details as to the goals (and non-goals) of this feature, and answers to many other questions asked.
>
> Thanks.
>
> > appraises (verifies) all files that are executed by root: appraise uid=1000 appraise_type=imasig
>
> Typo in "uid=1000"? Also, executed, or read? What is "appraise_type=imasig"?
>
> I'm asking all those basic questions because the project documentation
> under https://sourceforge.net/p/linux-ima/wiki/Home/ is incredibly bad.
> It seems pretty clear nobody loves it, it's full of TLAs and
> formatting errors (e.g. every use of a <placeholder> is accompanied by
> </placeholder> at the end of the paragraph, sic). It also doesn't explain
> much except the obvious parts. It's also full of stuff like "'make
> modules_install install' to install the kernel", which I don't think
> we want to point our users to. (BTW the lwn article [1] linked below
> is *way* more approachable the the "documentation".)
>
> Is there any actual example of policy that makes use of this on
> a Fedora-type system? I'm asking because IMA has been around for
> for 15 years [1], and I think it's fair to say that it hasn't exactly
> taken the Linux world over by storm. I can see how IMA can be used to
> attest binaries in a custom-purpose system with a fixed and small set
> of binaries, but it seems much harder in a general purpose system with
> thousands of config files not distributed as rpm contents, user scripts,
> generated unit files, hwdb, etc. The docs that are available online seem
> to be toy examples only.
>
> Such an example is not a requirement, we may enable this based on just
> a hope that some real use will be found in the future, but it would
> certainly help to have such an example when evaluating this.
>
> [1] https://lwn.net/Articles/137306/
>
> > When I install the rpm-plugin-ima, and run "dnf reinstall *", the
> > /usr directory increases by 0.002% to 1417104.
>
> Either the measurement doesn't take xattrs into account, or maybe the
> explanation is that the attributes fit in preallocated space for xattrs?
> Either way, it seems that this cost is small enough and is not
> a barrier to adopting this.

It's file system specific. The interface is the same for ext4, XFS,
Btrfs - but on-disk representation is different. XFS has three
different representations depending on xattr size, so it might seem to
be no cost (preallocated). I'm not sure how much space there is in the
inode for this on ext4 and XFS. On Btrfs it's dynamic, no
preallocation. I figure for 150,000 files this is roughly a cost of
12MiB for an 81 byte xattr - similar to the selinux label.



-- 
Chris Murphy
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux