RE: [PATCH v2 0/6] bpf-lsm: Extend interoperability with IMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: Roberto Sassu
> Sent: Monday, February 28, 2022 10:08 AM
> > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx]
> > Sent: Friday, February 25, 2022 8:11 PM
> > On Fri, 2022-02-25 at 08:41 +0000, Roberto Sassu wrote:
> > > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx]
> > > > Sent: Friday, February 25, 2022 1:22 AM
> > > > Hi Roberto,
> > > >
> > > > On Tue, 2022-02-15 at 13:40 +0100, Roberto Sassu wrote:
> > > > > Extend the interoperability with IMA, to give wider flexibility for the
> > > > > implementation of integrity-focused LSMs based on eBPF.
> > > >
> > > > I've previously requested adding eBPF module measurements and signature
> > > > verification support in IMA.  There seemed to be some interest, but
> > > > nothing has been posted.
> > >
> > > Hi Mimi
> > >
> > > for my use case, DIGLIM eBPF, IMA integrity verification is
> > > needed until the binary carrying the eBPF program is executed
> > > as the init process. I've been thinking to use an appended
> > > signature to overcome the limitation of lack of xattrs in the
> > > initial ram disk.
> >
> > I would still like to see xattrs supported in the initial ram disk.
> > Assuming you're still interested in pursuing it, someone would need to
> > review and upstream it.  Greg?
> 
> I could revise this work. However, since appended signatures
> would work too, I would propose to extend this appraisal
> mode to executables, if it is fine for you.

Regarding this patch set, I kindly ask if you could accept it,
after I make the changes suggested.

The changes are simple, and waiting another kernel cycle
seems too long.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua

> > > At that point, the LSM is attached and it can enforce an
> > > execution policy, allowing or denying execution and mmap
> > > of files depending on the digest lists (reference values) read
> > > by the user space side.
> > >
> > > After the LSM is attached, IMA's job would be just to calculate
> > > the file digests (currently, I'm using an audit policy to ensure
> > > that the digest is available when the eBPF program calls
> > > bpf_ima_inode_hash()).
> > >
> > > The main benefit of this patch set is that the audit policy
> > > would not be required and digests are calculated only when
> > > requested by the eBPF program.
> >
> > Roberto, there's an existing eBPF integrity gap that needs to be
> > closed, perhaps not for your usecase, but in general.  Is that
> > something you can look into?
> 
> It could be possible I look into it.
> 
> Roberto
> 
> HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
> Managing Director: Li Peng, Zhong Ronghua



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux