On Wed, Mar 6, 2019 at 4:30 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Tue, 2019-03-05 at 12:27 -0800, Matthew Garrett wrote: > > But what's the threat? If an attacker is in a position to inject > > additional IMA policy then in general they're already in a position to > > violate other security assumptions. Admins who have a threat model > > that includes an attacker being able to do this are already requiring > > signed policy. What's the threat that requiring signed policy for this > > specific option mitigates? > > That might be true, but this "feature" isn't a minor change. It > totally changes the IMA measurement list meaning, without any > indication of the change in meaning. Ok. Would annotating the audit message to indicate that the hash was provided directly by the filesystem be sufficient? I'm not clear on why an admin would set this flag without having read the documentation for it - like many security features, enabling an inappropriate combination of them may result in bad things happening. I'm not keen on tying it to signing because: a) There are multiple configurations where requiring signed policy doesn't give a security benefit - if the IMA policy is part of a verified or measured initramfs, we already have integrity guarantees and adding an additional layer of signing doesn't win us anything (eg, in this configuration the IMA key may be loaded from the initramfs as well, so an attacker able to modify policy could add an additional signing key). b) Users who are already using signed policy won't get the additional hint that you think is necessary. I'm happy to add this if there's a real threat model around it, but requiring signing for something other than security reasons seems like it's conflating unrelated issues.
