On Wed, 2025-02-26 at 22:05 -0500, Mimi Zohar wrote: > On Wed, 2025-02-26 at 22:53 +0000, Enrico Bravi wrote: > > On Tue, 2025-02-25 at 20:53 -0500, Mimi Zohar wrote: > > > On Tue, 2025-02-25 at 14:12 +0100, Enrico Bravi wrote: > > > > The first write on the ima policy file permits to override the default > > > > policy defined with the ima_policy= boot parameter. This can be done > > > > by adding the /etc/ima/ima-policy which allows loading the custom policy > > > > during boot. It is also possible to load custom policy at runtime > > > > through > > > > file operations: > > > > > > > > cp custom_ima_policy /sys/kernel/security/ima/policy > > > > cat custom_ima_policy > /sys/kernel/security/ima/policy > > > > > > > > or by writing the absolute path of the file containing the custom > > > > policy: > > > > > > > > echo /path/of/custom_ima_policy > /sys/kernel/security/ima/policy > > > > > > > > In these cases, file signature can be necessary to load the policy > > > > (func=POLICY_CHECK). Custom policy can also be set at runtime by > > > > directly > > > > writing the policy stream on the ima policy file: > > > > > > > > echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \ > > > > "audit func=BPRM_CHECK mask=MAY_EXEC\n" \ > > > > > /sys/kernel/security/ima/policy > > > > > > > > In this case, there is no mechanism to verify the integrity of the new > > > > policy. > > > > > > > > Add a new entry in the ima measurements list containing the ascii custom > > > > ima policy buffer when not verified at load time. > > > > > > > > Signed-off-by: Enrico Bravi <enrico.bravi@xxxxxxxxx> > > > > > > Hi Enrico, > > > > Hi Mimi, > > > > thank you for the quick response. > > > > > This patch set hard codes measuring the initial custom IMA policy rules > > > that > > > replace the builtin policies specified on the boot command line. IMA > > > shouldn't hard code policy. > > > > My first approach was to define a new critical-data record, Hi Mimi, > Hopefully the new critical-data will be of the entire IMA policy. yes, absolutely. > > but performing the > > measurement after the custom policy becomes effective, the measurement could > > be > > bypassed omitting func=CRITICAL_DATA in the custom policy. > > > > > I'm not quite sure why you're differentiating between > > > measuring the initial and subsequent custom IMA policy rules. > > > > My intention is to measure the first direct write (line by line) on the > > policy > > file, without loading the initial custom policy from a file. This case, if > > I'm > > not wrong, is not covered by func=POLICY_CHECK. > > When secure boot is enabled, the arch specific policy rules require the IMA > policy to be signed. Without secure boot enabled, you're correct. The custom > policy rules may directly be loaded without being measured. > > Why only measure "the first direct write"? Additional custom policy rules may > be directly appended without being measured. Yes, you right. The aim was to measure (at least) the first one, because it substitutes the boot policy, but if you are ok with adding a critical-data record, it would be definitely better. Thank you, Enrico > > > > > Consider defining a new critical-data record to measure the current IMA > > > policy > > > rules. Also consider including the new critical-data rule in the arch > > > specific policy rules. > > > > I think that your suggestion, to add the critical-data rule in the arch > > policy > > rules, solves the problems of bypassing the measurement and hard coding > > policy. > > > > Thank you very much for your feedback. > > You're welcome. > > Mimi > >
