Mimi >> Another option would be to extend IMA by implementing the LSM >> security_sb_mount hook Yes, that’s exactly the feedback I was looking for. I know that there is no existing support as of today. But wanted to know how we can add support this. -Kavitha Juniper Internal -----Original Message----- From: Mimi Zohar <zohar@xxxxxxxxxxxxx> Sent: Thursday, April 25, 2019 4:59 AM To: Kavitha Sivagnanam <kavi@xxxxxxxxxxx>; linux-integrity@xxxxxxxxxxxxxxx Subject: Re: Can we enforce "IMA Policy" based on file type On Fri, 2019-04-19 at 21:52 +0000, Kavitha Sivagnanam wrote: > Hi > > I am wondering, in the current implementation of IMA policy, if there > is a way to enforce appraisal on a file based on the file type. The > file type that I am interested in enforcing the policy is for SquashFS > files. > > We want to check the signature on the SquashFS file itself before > mounting it and mark the partition as read-only. This would allow us > to have the flexibility of not signing every immutable file we are > installing. Also the installation process will be faster as setting > extended attribute on every file is extremely time consuming process. > The signatures are generated at build time & we are using seftattr to > set the security.ima attribute. > > Is it possible to achieve this with existing policy (or) we need > enhancement to the current IMA code? If we need to enhance the kernel > to support this feature, where would we start? As Matthew indicated, you could define LSM labels on the squashfs file images. Another option would be to extend IMA by implementing the LSM security_sb_mount hook. The IMA policy rule would probably look something like: appraise func=MOUNT_CHECK fsname=squashfs appraise_type=imasig Mimi
