Re: [PATCH V2 3/4] IMA: Optionally make use of filesystem-provided hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 6, 2019 at 4:30 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> On Tue, 2019-03-05 at 12:27 -0800, Matthew Garrett wrote:
> > But what's the threat? If an attacker is in a position to inject
> > additional IMA policy then in general they're already in a position to
> > violate other security assumptions. Admins who have a threat model
> > that includes an attacker being able to do this are already requiring
> > signed policy. What's the threat that requiring signed policy for this
> > specific option mitigates?
>
> That might be true, but this "feature" isn't a minor change.  It
> totally changes the IMA measurement list meaning, without any
> indication of the change in meaning.

Ok. Would annotating the audit message to indicate that the hash was
provided directly by the filesystem be sufficient? I'm not clear on
why an admin would set this flag without having read the documentation
for it - like many security features, enabling an inappropriate
combination of them may result in bad things happening. I'm not keen
on tying it to signing because:

a) There are multiple configurations where requiring signed policy
doesn't give a security benefit - if the IMA policy is part of a
verified or measured initramfs, we already have integrity guarantees
and adding an additional layer of signing doesn't win us anything (eg,
in this configuration the IMA key may be loaded from the initramfs as
well, so an attacker able to modify policy could add an additional
signing key).
b) Users who are already using signed policy won't get the additional
hint that you think is necessary.

I'm happy to add this if there's a real threat model around it, but
requiring signing for something other than security reasons seems like
it's conflating unrelated issues.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux