Hi I am wondering, in the current implementation of IMA policy, if there is a way to enforce appraisal on a file based on the file type. The file type that I am interested in enforcing the policy is for SquashFS files. We want to check the signature on the SquashFS file itself before mounting it and mark the partition as read-only. This would allow us to have the flexibility of not signing every immutable file we are installing. Also the installation process will be faster as setting extended attribute on every file is extremely time consuming process. The signatures are generated at build time & we are using seftattr to set the security.ima attribute. Is it possible to achieve this with existing policy (or) we need enhancement to the current IMA code? If we need to enhance the kernel to support this feature, where would we start? Thanks Kavitha Juniper Internal
