linux/security
Eric Paris 5789ba3bd0 IMA: Minimal IMA policy and boot param for TCB IMA policy
The IMA TCB policy is dangerous.  A normal use can use all of a system's
memory (which cannot be freed) simply by building and running lots of
executables.  The TCB policy is also nearly useless because logging in as root
often causes a policy violation when dealing with utmp, thus rendering the
measurements meaningless.

There is no good fix for this in the kernel.  A full TCB policy would need to
be loaded in userspace using LSM rule matching to get both a protected and
useful system.  But, if too little is measured before userspace can load a real
policy one again ends up with a meaningless set of measurements.  One option
would be to put the policy load inside the initrd in order to get it early
enough in the boot sequence to be useful, but this runs into trouble with the
LSM.  For IMA to measure the LSM policy and the LSM policy loading mechanism
it needs rules to do so, but we already talked about problems with defaulting
to such broad rules....

IMA also depends on the files being measured to be on an FS which implements
and supports i_version.  Since the only FS with this support (ext4) doesn't
even use it by default it seems silly to have any IMA rules by default.

This should reduce the performance overhead of IMA to near 0 while still
letting users who choose to configure their machine as such to inclue the
ima_tcb kernel paramenter and get measurements during boot before they can
load a customized, reasonable policy in userspace.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-05-22 09:31:20 +10:00
..
integrity/ima IMA: Minimal IMA policy and boot param for TCB IMA policy 2009-05-22 09:31:20 +10:00
keys keys: Handle there being no fallback destination keyring for request_key() 2009-04-09 10:41:19 -07:00
selinux selinux: remove obsolete read buffer limit from sel_read_bool 2009-05-19 23:56:11 +10:00
smack Merge branch 'master' into next 2009-05-08 17:56:47 +10:00
tomoyo tomoyo: version bump to 2.2.0. 2009-04-14 09:15:02 +10:00
capability.c lsm: Remove the socket_post_accept() hook 2009-03-28 15:01:37 +11:00
commoncap.c Merge branch 'master' into next 2009-05-08 17:56:47 +10:00
device_cgroup.c devcgroup: avoid using cgroup_lock 2009-04-02 19:04:55 -07:00
inode.c securityfs: securityfs_remove should handle IS_ERR pointers 2009-05-12 11:06:11 +10:00
Kconfig Kconfig and Makefile 2009-02-12 15:19:00 +11:00
lsm_audit.c smack: implement logging V3 2009-04-14 09:00:19 +10:00
Makefile smack: implement logging V3 2009-04-14 09:00:23 +10:00
root_plug.c Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]" 2009-01-07 09:21:54 +11:00
security.c CacheFiles: Export things for CacheFiles 2009-04-03 16:42:40 +01:00