On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote: [..] > > Hi Mimi, > > > > Can we add another field to ima_rule_entry, say .enforcement to control > > the behavior of .action. Possible values of .enforcement could be, say. > > > > ALL > > SIGNED_ONLY > > > > ALL will be default. And with .action= MEASURE, one could possibly use > > .enforcement=SIGNED_ONLY. > > Other than the .action being '.action=APPRAISE', not 'MEASURE', > something like what you're suggesting, could work. How about extending > the new 'appraise_type=' option? The appraise_type enforces a > particular type (eg. hash, signature) of verification. > > option: appraise_type:= [imasig[,signed_only]] > eg. appraise_type=imasig,signed_only Right. Given the fact that signed_only things work only for appraise, it probably is better to extend ima_appraise= command line option. I just wrote something based on linus tree. That is introduce ima_appraise=enforce_labeled_only. But I would look at your next branch and try introducing imasig_signed_only. In the mean time here is the patch I used. I can now boot my unlabeled system with "ima_appraise_tcb" and "ima_appraise=enforce_labeled_only". But somehow my system has slowed down significantly and I can feel slow boot as well as slow file operations on terminal. Thanks Vivek --- Documentation/kernel-parameters.txt | 3 ++- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_appraise.c | 6 ++++++ 3 files changed, 9 insertions(+), 1 deletion(-) Index: linux-2.6/security/integrity/ima/ima_appraise.c =================================================================== --- linux-2.6.orig/security/integrity/ima/ima_appraise.c 2013-01-18 01:29:29.000000000 -0500 +++ linux-2.6/security/integrity/ima/ima_appraise.c 2013-01-29 14:56:47.636620835 -0500 @@ -24,6 +24,8 @@ static int __init default_appraise_setup ima_appraise = 0; else if (strncmp(str, "fix", 3) == 0) ima_appraise = IMA_APPRAISE_FIX; + else if (strncmp(str, "enforce_labeled_only", 21) == 0) + ima_appraise = IMA_APPRAISE_ENFORCE_LABELED_ONLY; return 1; } @@ -144,6 +146,10 @@ out: ima_fix_xattr(dentry, iint); status = INTEGRITY_PASS; } + if ((ima_appraise & IMA_APPRAISE_ENFORCE_LABELED_ONLY) && + (status == INTEGRITY_NOLABEL)) + status = INTEGRITY_PASS; + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, op, cause, rc, 0); } else { Index: linux-2.6/security/integrity/ima/ima.h =================================================================== --- linux-2.6.orig/security/integrity/ima/ima.h 2013-01-18 01:29:29.000000000 -0500 +++ linux-2.6/security/integrity/ima/ima.h 2013-01-29 14:51:25.762610948 -0500 @@ -140,6 +140,7 @@ void ima_delete_rules(void); #define IMA_APPRAISE_ENFORCE 0x01 #define IMA_APPRAISE_FIX 0x02 #define IMA_APPRAISE_MODULES 0x04 +#define IMA_APPRAISE_ENFORCE_LABELED_ONLY 0x08 #ifdef CONFIG_IMA_APPRAISE int ima_appraise_measurement(struct integrity_iint_cache *iint, Index: linux-2.6/Documentation/kernel-parameters.txt =================================================================== --- linux-2.6.orig/Documentation/kernel-parameters.txt 2013-01-18 01:29:29.000000000 -0500 +++ linux-2.6/Documentation/kernel-parameters.txt 2013-01-29 14:52:44.455613365 -0500 @@ -1064,7 +1064,8 @@ bytes respectively. Such letter suffixes Set number of hash buckets for inode cache. ima_appraise= [IMA] appraise integrity measurements - Format: { "off" | "enforce" | "fix" } + Format: { "off" | "enforce" | "fix" | + "enforce_labeled_only} default: "enforce" ima_appraise_tcb [IMA] -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html