Re: [PATCH] IMA: do not measure everything opened by root bydefault

From: Eric Paris
Date: Wed May 13 2009 - 10:55:44 EST

Next message: Andi Kleen: "Re: [RFC PATCH v2 0/2] Saving power by cpu evacuation sched_max_capacity_pct=n"
Previous message: Vivek Goyal: "Re: [PATCH 07/18] io-controller: Export disk time used and nrsectors dipatched through cgroups"
In reply to: Mimi Zohar: "Re: [PATCH] IMA: do not measure everything opened by root bydefault"
Next in thread: Mimi Zohar: "Re: [PATCH] IMA: do not measure everything opened by root bydefault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2009-05-12 at 17:53 -0400, Mimi Zohar wrote:
> On Tue, 2009-05-12 at 17:27 -0400, Eric Paris wrote:
> > On Tue, 2009-05-12 at 17:18 -0400, Mimi Zohar wrote:
> > > On Tue, 2009-05-12 at 15:14 -0400, Eric Paris wrote:
> > > > The IMA default policy measures every single file opened by root. This is
> > > > terrible for most users. Consider a system (like mine) with virtual machine
> > > > images. When those images are touched (which happens at boot for me) those
> > > > images are measured. This is just way too much for the default case.
> > > >
> > > > Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
> > >
> > > The question of what to measure is a major issue. If you measure too
> > > much, performance is affected, but if you measure too little, then the
> > > measurement list will not contain everything that could affect the
> > > Trusted Computing Base(TCB), such as configuration files and scripts.
> > >
> > > The solution is not to remove the rule that measures everything read
> > > by root, but to replace the default IMA configuration file with an LSM
> > > specific one, which should be done early in the etc init scripts or
> > > initrd. LTP contains a sample script to replace the default IMA policy
> > > (testcases/kernel/security/integrity/ima/tests/ima_policy.sh).
> > >
> > > The following SELinux integrity rule, prevents /var/log/messages from
> > > being measured. (Dependent on "integrity: lsm audit rule matching fix"
> > > patch in the security-testing tree.)
> > >
> > > dont_measure func=PATH_CHECK mask=MAY_READ obj_type=var_log_t
> > >
> > > By defining an equivalent SELinux integrity rule for each virtual
> > > machine image type, the virtual machine images will not be measured.
> > > This is far better than not measuring everything in the TCB.
> > >
> > > Mimi Zohar
> >
> > While the TCB might be interesting to you I'm going to guess that 99% of
> > users don't care at all. I don't think the kernel should ship with such
> > an overhead just to make the options available to the few.
> >
> > Every distro that wants to ship with IMA compiled in the kernel is going
> > to need to carry their own ima policy and they are going to have to
> > change userspace so they can load that policy by default. This is turn
> > means that every distro is going to, by default, leave ima
> > uncustomizable since we can only load a single policy.
>
> I'm not sure I understand the problem here. Although the policy can only
> be loaded once per boot, it could be based on a configuration file
> like /etc/measure, which the distro could define. Any system specific
> changes could be made to this file.

I'm assuming, although possibly wrongly, that every major distro is
going to enable the IMA config. My reason for making that assumption is
based on the fact tht many distros tend to enable everything they can so
their users can make their own choices without recompiling. Kernel
defaults are supposed to be the default that most people want. How many
people on LKML know, or even care, what the TCB is? By setting the
kernel default to something that is known to be of interest to very few
people and which causes a noticeable performance penalty you force the
work of setting the default out onto the distros. This is wrong. If I
was a distro owner and knew I either had to rewrite the initrd for every
user or create a new package which runs early in the startup just to
disable the IMA rules or I could just not enable IMA in the kernel at
all, which do you think I would choose? I see that in Fedora 12 kernels
they chose not to enable IMA. Why should we take on the maintenance
burden of another package just to fix the default IMA rules so they are
reasonable for most of our users?

I think if you want to make IMA available, the default config needs to
be reasonable to reasonable people. The people who care about the TCB
should be the ones adding custom policy.

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: [RFC PATCH v2 0/2] Saving power by cpu evacuation sched_max_capacity_pct=n"
Previous message: Vivek Goyal: "Re: [PATCH 07/18] io-controller: Export disk time used and nrsectors dipatched through cgroups"
In reply to: Mimi Zohar: "Re: [PATCH] IMA: do not measure everything opened by root bydefault"
Next in thread: Mimi Zohar: "Re: [PATCH] IMA: do not measure everything opened by root bydefault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]