On Thu, 2020-04-09 at 11:39 +0800, Tianjia Zhang wrote: > Support the read and write operations of ima_appraise by adding a > securifyfs file 'appraise_mode'. > > In order to tune appraise mode in runtime, writing a PKCS#7 signature > corresponding the signed content is required. The content should be off, > enforce, log or fix. Given a simple way to archive this: > > $ echo -n off > mode > $ openssl smime -sign -nocerts -noattr -binary \ > -in mode -inkey <system_trusted_key> \ > -signer <cert> -outform der -out mode.p7s > $ sudo cat mode.p7s \ > > /sys/kernel/security/ima/appraise_mode > > Note that the signing key must be a trust key located in > system trusted keyring. So even the root privilege cannot > simply disable the enforcement. There are major problems with disabling IMA appraisal. This patch set proposes disabling IMA appraisal without even providing the motivation for such support. A lot of effort went into preventing custom IMA policies from disabling appraising the kexec or kernel module signatures. In addition, the "lockdown" patch set was upstreamed permitting IMA signature verification. This patch set would break both of these features. IMA relies on its own keyring for verifying file signatures, not the builtin or secondary trusted kernel keyrings. Two methods already exist - xattr and appended signatures - for verifying file signatures. This patch set assumes creating and signing a file, which is then written to a securityfs file. Like for loading a custom IMA policy, instead of cat'ing the file, write the pathname to the securityfs file. If you must define a new IMA method for verifying file signatures, then it needs to be generic and added to ima_appraise_measurement(). (Refer to the new IMA appended signature support.) Mimi > > Tianjia Zhang (2): > ima: support to read appraise mode > ima: support to tune appraise mode in runtime > > security/integrity/ima/ima_fs.c | 134 +++++++++++++++++++++++++++++++- > 1 file changed, 133 insertions(+), 1 deletion(-) >
