> -----Original Message----- > From: linux-integrity-owner@xxxxxxxxxxxxxxx [mailto:linux-integrity- > owner@xxxxxxxxxxxxxxx] On Behalf Of Lev Olshvang > Sent: Monday, March 30, 2020 2:28 PM > To: linux-integrity@xxxxxxxxxxxxxxx; Mimi Zohar <zohar@xxxxxxxxxx> > Subject: [PATCH] integrity ima_policy : Select files by suffix > > From: Lev Olshvang <levonshe@xxxxxxxxx> > Date: Fri, 27 Mar 2020 20:50:01 +0300 > Reply-To: > Subject: [PATCH] integrity ima_policy : Select files by suffix > > IMA policy rule allows to select files based on uid, gid, fsuid. etc. > One tremendously useful selector(IMHO) is the file suffix. > > I think of systemd service files, configurution files, etc. > > But the real goal of the patch is the ability to validate shell scripts. > Shell provides too many different ways to run the script: > input redirrection, pipe, command line parameters. Given that file name is not protected, I would suggest to look instead at the execution permission of the file. This information is protected by EVM. In a second time, we could consider to enforce the policy in the interpreters that every script must be executable, as suggested here: https://lkml.org/lkml/2019/4/15/825 Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli
