On Wed, Nov 15, 2017 at 9:26 AM, Patrick Ohly <patrick.ohly@xxxxxxxxx> wrote: > What hasn't become obvious to me yet is how portable signatures help > fit into the overall system. What kind of IMA policy is it meant to > use? Is the entire partition considered read-only except when > installing system software or does it also contain data files from > untrusted apps? Which MAC, if any, and does that matter? Are there > known holes that need to be plugged before this system is considered > secure, and is there a "master plan" for getting there? Our approach is to combine appraisal with LSM in order to allow a more fine-grained policy (we're using Apparmor, but this applies equally well to SELinux or SMACK). Execution that attempts to transition into a more privileged Apparmor context will be subject to appraisal, execution that transitions into an unprivileged context won't be. Long term, this also allows for writing policy that ensures that (eg) all files read by systemd are appraised without having to impose the same requirement on root in general.
