I already answered to Mimi Zohar that applications expect file name in open() syscall. So there is no need to protect file name otherwise applications just stop to work. Even now when ima hash is not correct application stops to work. Put aside scripts for a second. A lot of programs are configured in .ini or .conf files. The suffix is a very convenient way to provide these files would be measured. Now I returning to scripts. It is very hard to enforce IMA checks in interpreters. And thinks about perl scrips. awk. python scripts. etc The proposed suffix rule is easy and lightweight. I once had programmed BRM hook of LSM I had a very hard time trying to figure out whether shell is opening a script or data , how to get filename to check its signature. Sometimes script file does not have shebang or does not have executable permission. I hope I convinced you. On Mon, Mar 30, 2020 at 7:45 PM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote: > > > -----Original Message----- > > From: linux-integrity-owner@xxxxxxxxxxxxxxx [mailto:linux-integrity- > > owner@xxxxxxxxxxxxxxx] On Behalf Of Lev Olshvang > > Sent: Monday, March 30, 2020 2:28 PM > > To: linux-integrity@xxxxxxxxxxxxxxx; Mimi Zohar <zohar@xxxxxxxxxx> > > Subject: [PATCH] integrity ima_policy : Select files by suffix > > > > From: Lev Olshvang <levonshe@xxxxxxxxx> > > Date: Fri, 27 Mar 2020 20:50:01 +0300 > > Reply-To: > > Subject: [PATCH] integrity ima_policy : Select files by suffix > > > > IMA policy rule allows to select files based on uid, gid, fsuid. etc. > > One tremendously useful selector(IMHO) is the file suffix. > > > > I think of systemd service files, configurution files, etc. > > > > But the real goal of the patch is the ability to validate shell scripts. > > Shell provides too many different ways to run the script: > > input redirrection, pipe, command line parameters. > > Given that file name is not protected, I would suggest to look instead at > the execution permission of the file. This information is protected by EVM. > > In a second time, we could consider to enforce the policy in the interpreters > that every script must be executable, as suggested here: > > https://lkml.org/lkml/2019/4/15/825 > > Roberto > > HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 > Managing Director: Li Peng, Li Jian, Shi Yanli
