On 5/12/2019 11:37 AM, m3hm00d wrote:
tldr: Is there some way to ask IMA not to open (execute) unknown binaries Hi all, I saw some comments on RFC for WhiteEgret LSM. Someone on the same thread said that IMA could be used for whitelisting as well. Based on a couple of hours with IMA, it seems to me that IMA can only stop execution of (altered) binaries whose hash/sign was earlier measured.
Hi I'm developing an extension (IMA Digest Lists) to allow access to files depending on a white list (for example digests in RPM headers). I will publish a new version soon. For the concept, please have a look at: https://github.com/euleros/linux/wiki/IMA-Digest-Lists-Extension https://github.com/euleros/digest-list-tools/wiki/Architecture
If a user installs a new (unknown) application, it seems like IMA is going to allow that application to run since IMA can't find any integrity loss since IMA doesn't have any 'good' value against the new application. Is this correct? Or is there some other option to ask IMA not to execute any unknown binary?
If appraisal is enabled, and the application has no signature/HMAC, access would be denied. If the application is installed by a package manager, probably files will have a HMAC and access would be granted unless the IMA policy requires signatures. Roberto
Kind regards, m3hm00d
-- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI