>> > Ok, that's the point I am missing. So I can sign a file and signatures >> > are in a separate file. And these signatures are installed in extended >> > attributes at file installation time (IOW rpm installation time) on >> > target. >> > >> > If all this works, this sounds reasonable so far. Except the point of >> > disabling ptrace and locking down memory. >> > >> > So what's the state of above work. Is there something I can play with.
Let me try to comment on this one a bit. Thewhole idea behind extending rpm plugin interface was to have an extensive set of hooks that would allow rpm plugins to perform needed additional things. Plugins can be different dependening on a ditsibution need, and if a distribution needs to bootstrap IMA signatures, this can also be done in one of plugins hooks. Now about hook status: we have so far integrated to rpm master branch only a subset of hooks. Mainly the cause has been that I am far from working on it all the time unfortunately. Currently I am looking at the filesystem hooks and hoping to send some version of that patch soon. When the hooks will be integrated,it is really up to plugin implementor to design how thing wil happen. There will be a hook that would be called after file from a package is placed to filesystem, where plugin can do many things, like setting MAC labels or setting IMA signatures on a file. The way signature will be stored in a package is also currently open, there can be a number of options here. You can define a special rpm header TAG and during package build embeed all the informaiton about signatures there together with the file name. This way plugin can parse the header tag info, get all signatures info and when the right hook is called, setup the IMA signature attribute. But as I said, this is just one way of doing it and may not be the best one. Best Regards, Elena. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
