On Thu, Jan 21, 2021 at 12:50 PM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote: > > On Wed, Jan 20, 2021 at 11:29:55PM -0000, Patrick マルタインアンドレアス Uiterwijk wrote: > > > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents > > > > > > > I'd like to point out that after many requests, I have updated the change page for this significantly, with more details as to the goals (and non-goals) of this feature, and answers to many other questions asked. > > Thanks. > > > appraises (verifies) all files that are executed by root: appraise uid=1000 appraise_type=imasig > > Typo in "uid=1000"? Also, executed, or read? What is "appraise_type=imasig"? > > I'm asking all those basic questions because the project documentation > under https://sourceforge.net/p/linux-ima/wiki/Home/ is incredibly bad. > It seems pretty clear nobody loves it, it's full of TLAs and > formatting errors (e.g. every use of a <placeholder> is accompanied by > </placeholder> at the end of the paragraph, sic). It also doesn't explain > much except the obvious parts. It's also full of stuff like "'make > modules_install install' to install the kernel", which I don't think > we want to point our users to. (BTW the lwn article [1] linked below > is *way* more approachable the the "documentation".) > > Is there any actual example of policy that makes use of this on > a Fedora-type system? I'm asking because IMA has been around for > for 15 years [1], and I think it's fair to say that it hasn't exactly > taken the Linux world over by storm. I can see how IMA can be used to > attest binaries in a custom-purpose system with a fixed and small set > of binaries, but it seems much harder in a general purpose system with > thousands of config files not distributed as rpm contents, user scripts, > generated unit files, hwdb, etc. The docs that are available online seem > to be toy examples only. > > Such an example is not a requirement, we may enable this based on just > a hope that some real use will be found in the future, but it would > certainly help to have such an example when evaluating this. > > [1] https://lwn.net/Articles/137306/ > > > When I install the rpm-plugin-ima, and run "dnf reinstall *", the > > /usr directory increases by 0.002% to 1417104. > > Either the measurement doesn't take xattrs into account, or maybe the > explanation is that the attributes fit in preallocated space for xattrs? > Either way, it seems that this cost is small enough and is not > a barrier to adopting this. It's file system specific. The interface is the same for ext4, XFS, Btrfs - but on-disk representation is different. XFS has three different representations depending on xattr size, so it might seem to be no cost (preallocated). I'm not sure how much space there is in the inode for this on ext4 and XFS. On Btrfs it's dynamic, no preallocation. I figure for 150,000 files this is roughly a cost of 12MiB for an 81 byte xattr - similar to the selinux label. -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
