On Fri, 2019-04-19 at 21:52 +0000, Kavitha Sivagnanam wrote: > Hi > > I am wondering, in the current implementation of IMA policy, if > there is a way to enforce appraisal on a file based on the file > type. The file type that I am interested in enforcing the policy is > for SquashFS files. > > We want to check the signature on the SquashFS file itself before > mounting it and mark the partition as read-only. This would allow us > to have the flexibility of not signing every immutable file we are > installing. Also the installation process will be faster as setting > extended attribute on every file is extremely time consuming > process. The signatures are generated at build time & we are using > seftattr to set the security.ima attribute. > > Is it possible to achieve this with existing policy (or) we need > enhancement to the current IMA code? If we need to enhance the > kernel to support this feature, where would we start? As Matthew indicated, you could define LSM labels on the squashfs file images. Another option would be to extend IMA by implementing the LSM security_sb_mount hook. The IMA policy rule would probably look something like: appraise func=MOUNT_CHECK fsname=squashfs appraise_type=imasig Mimi
