| Message ID | 20200409103440.47946-1-tianjia.zhang@linux.alibaba.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | support to read and tune appraise mode in runtime | expand |
On 4/9/20 6:34 AM, Tianjia Zhang wrote: > Support the read and write operations of ima_appraise by adding a > securifyfs file 'appraise_mode'. > > In order to tune appraise mode in runtime, writing a PKCS#7 signature I am curious to know why would you tune appraise mode in runtime ? Thanks & Regards, - Nayna
On 2020/4/12 5:43, Nayna wrote: > > On 4/9/20 6:34 AM, Tianjia Zhang wrote: >> Support the read and write operations of ima_appraise by adding a >> securifyfs file 'appraise_mode'. >> >> In order to tune appraise mode in runtime, writing a PKCS#7 signature > > I am curious to know why would you tune appraise mode in runtime ? > > Thanks & Regards, > > - Nayna Mainly used for emergency shutdown under some abnormal conditions. Thanks, Tianjia
Support the read and write operations of ima_appraise by adding a securifyfs file 'appraise_mode'. In order to tune appraise mode in runtime, writing a PKCS#7 signature corresponding the signed content is required. The content should be off, enforce, log or fix. Given a simple way to archive this: $ echo -n off > mode $ openssl smime -sign -nocerts -noattr -binary \ -in mode -inkey <system_trusted_key> \ -signer <cert> -outform der -out mode.p7s $ sudo cat mode.p7s \ > /sys/kernel/security/ima/appraise_mode Note that the signing key must be a trust key located in system trusted keyring. So even the root privilege cannot simply disable the enforcement. --- v2 change: fix build error. Tianjia Zhang (2): ima: support to read appraise mode ima: support to tune appraise mode in runtime security/integrity/ima/ima_fs.c | 140 +++++++++++++++++++++++++++++++- 1 file changed, 139 insertions(+), 1 deletion(-)