-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to reject specific hashes in a IMA file signature based runtime policy #1540
Comments
I would let a use case drive this decision. So far I at least have regarded the exclude list as a first level of filtering. I am not sure what we want to see happening when the exclude list was to be applied last for example. |
Hi @stefanberger |
In terms of ordering in this case one could look at the current allowlist with their path names and then have something like a policy for skipping files (accept) that match regular expressions or rejecting files also due to regular expressions? This way we could keep the exclude list check first but then have a check for files to accept and reject based on regular expressions. It would then look like this, with additional steps 4 beyond what we have today:
We would have to design how to write a policy for 4.
The above would accept (effectively ignore) all files with path prefix /var/lib/containers/ and have a default policy of REJECT for everything that couldn't be evaluated before. |
I have a concern that keeping the excludelist prioritized will negatively impact user experience. I think that when a user is interested in a single subdirectory within a directory, creating excludelist that covers everything else within that directory except that single subdirectory is unnecessarily complicated. Also, the idea of rejectlist was that a user could provide a list of files and corresponding hashes that would be rejected even in case the file has a valid IMA signature. This doesn't seem to be covered by the proposal above. OTOH, I like the idea of
The possibility to mix ACCEPT and REJECT or EXCLUDE might provide more flexibility. We could get inspired by approaches use in firewall configuration etc and even implement additional keywords. |
There's a difference between going with what we have right now versus starting over with something completely new...
I like the format of the rules, though we will need scripts/tools to do this and they will have to generate the rules basically in the right order. With hosts having potentially thousands of lines for measurement to deal with it's something users will have difficulties with writing such a policy by hand. |
If we wanted to continue with the current code (before starting something completely new) then my proposal here would be the following:
For better or worse we will have to maintain backwards compatibility with the current policy and how it's being processed even if we moved to a new way of describing the policy. For internal processing the above may look like this in the new format:
iptables has ipsets which are used for bulk-processing of ip addresses. We could regard our current maps of path and hashes and lists of regexs as hash & regex sets where our current JSON policy could have them with implicit names, so we could rewrite the above to this:
It may be worth consider that the user shouldn't initially write the above last two lines but provide some sort of REGEX-LIST with rules like this ['ACCEPT:/var/lib/containers/', 'REJECT: .'], which then leads to the following:
|
I have a branch for converting the current code to be executed by a policy here: https://github.com/stefanberger/keylime/commits/stefanberger/new_ima_policy/ I am currently working with this policy here that does not support device mapper stuff at all (@THS-on ) and adds two new rules for a reject list and and a potential filter list, though support for these 2 can be deferred:
What I was going to possibly convert this towards is this here:
Is this the right direction? Comments? Obviously we need to get the language right before we ever allow users to write a policy like this. I guess something like the above would then be embedded in our current JSON runtime policy and be able to reference existing maps of filenames and hashes (like 'digests') and lists of regular expressions (like 'excludes'). I think support for these containers for bulk process will still be necessary considering that some systems will have huge amounts of filenames and hashes, which also won't make it any easier and requires tools to be able to create a policy. Suggestions for future support of other rules and their parameters are welcome -- we need to find a pattern on how they will all look like. The above also needs support for device mapper so it then ends up behaving 100% like the current code does. |
Regarding the device mapper stuff, I think it is absolutely fine to exclude this for now. I'm pretty sure we are the only ones that are using this (also only in testing) and for it to be useful it requires IMA caching disabled and for dm-verity also a further kernel patch. |
I added a rule, for now called 'DEVICE-MAPPER-CHECK', that runs the existing code. |
Hi @stefanberger , I would like to have it reviewed by @ansasaki but he won't be available for the next two weeks. |
@kkaarreell I have support for something like this now as well in a bit different format:
or
or
|
Is your issue a feature request? If so, please raise it as an enhancement
Description
Fedora includes signed hashes for files in a RPM package and with rpm-plugin-ima installed I can get those IMA file signatures to extended attributes when the package gets installed or updated. However, the problem with the file signatures is that they are "forever". When I update a package, replacing a file with its newer version, I would like to be able to add the old hash on an reject list so that a system fails attestation if the "old" file lands on a disk again (e.g. due an RPM downgrade).
Another, slightly related topic is the order of runtime policy lists evaluation. I believe that the current sequence is:
Is it correct that an excludelist to always takes a preference? Would it be reasonable to make the order configurable, probably as a part of the runtime policy itself?
The text was updated successfully, but these errors were encountered: