On 15-10-20 08:00:29, Mimi Zohar wrote:
> On Tue, 2015-10-20 at 10:26 +0300, Petko Manolov wrote:
> > On 15-10-19 14:21:42, Mimi Zohar wrote:
> > > On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote:
> > > > When in development it is useful to read back the IMA policy. This
> > > > patch
> > > > provides the functionality. However, this is a potential security hole
> > > > so
> > > > it should not be used in production-grade kernels.
> > >
> > > Like the other IMA securityfs files, only root would be able to read it.
> > > Once we start allowing additional rules to be appended to the policy,
> > > being able to view the resulting policy is important. Is there a reason
> > > for limiting this option to development?
> >
> > I have not considered allowing non-root users to read the policy - i was
> > merely
> > cleaning up the Zbigniew's patch. I guess it might be useful to be able to
> > read
> > the policy when in development mode.
>
> I guess I wasn't clear. I don't have a problem with the patch itself, just
> with the patch description. What is this "security hole" that the option
> should ONLY be configured for development? Only privileged users can view
> the
> policy. I don't see the problem with configuring it in general. Please
> remove the comment.
By "security hole" i mean being able to read it at all. Root or non-root.
Knowing what the IMA policy is may give the attacker an idea how to circumvent
it. I used stronger words in order to attract the user's attention and
consider
carefully what the implications are when enabling this option.
However, i do not insist on keeping this comment. I will remove it or re-word
it if you think it is nonsensical in it's present form.
BTW, i still think it is a good idea that only the root user have access to the
IMA policy. Unless i hear otherwise i am planning to keep the current
functionality.
> Since responding, I've enabled this feature. Very nice!
Have you tried it?
Petko
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
