https://sourceware.org/bugzilla/show_bug.cgi?id=28204
--- Comment #28 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Ryan Goldberg from comment #27)
> (In reply to Mark Wielaard from comment #24)
> > BTW. How does this interact with the "section" queries?
> Since these aren't ima verifiable anyways wdyt of just skipping verification
> all together (i.e treat that query in the same way as the ignore policy)
Assuming ima verification is so one can be sure bits are what a distro really
distributes I don't think a default to ignore policy is useful. I think in
enforcing mode there is no good way to fetch just the section data and the
client has to fall back onto requesting the full executable or debuginfo file,
verify the ima signature, and then locally extract the section data (of course
this is somewhat inefficient).
> Tweaking the above to something like:
> 2008 if(NULL != url_ima_policies && ignore !=
> url_ima_policies[committed_to] && NULL == section) { ... }
>
> (In reply to Mark Wielaard from comment #25)
> > Includes an "undefined" policy?
> Just used internally when parsing DEBUGINFOD_URLS
> > Is the k += DATA_SIZE correct? Can't pread return an n < DATA_SIZE?
> Fixed
> > If the cert_paths = strdup (...) fails cert_paths gets assigned a static
> > string?
> Fixed
Thanks. It would be good to post a patch with these fixes (maybe rebased to
current git trunk). So it is more clear what exact change you intent to commit.
> (In reply to Mark Wielaard from comment #26)
> > If we have an permissive mode then I think it should work like the selinux
> > permissive mode.
> > That is, it should always check the signature, but instead of failing with
> > EPERM, it should
> > always produce a warning (whether or not we are in verbose mode or not).
> I would be ok with this kind of permissive mode
This would have my preference too. Or just simply have either an ignore or
enforcing mode.
But from our discussion on irc I think Frank believes it is better to see
permissive mode as a kind of possible checksum mode. I am not sure about that
use case.
Given that we have reliable transports a checksum mode might be something for
the server to do (assuming the server doesn't trust its own storage). The
server could do an ima check before sending any file and simply don't sent it
if the ima check(sum) fails. This then would be independent of the client ima
check (enforced or not).
--
You are receiving this mail because:
You are on the CC list for the bug.
