Please enable CONFIG_IMA in the ubuntu kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Colin Ian King | ||
Saucy |
Opinion
|
Medium
|
Dave Chiluk | ||
Trusty |
Fix Released
|
Medium
|
Colin Ian King |
Bug Description
I would be doubly happy if this also went into the raring backport kernel.
I chatted with apw and kees on #ubuntu-kernel earlier in the week. From a security engineer on our team:
so I was mistaken. if CONFIG_IMA=y, the default policy is NULL unless you boot with ima_tcb=on. without ima_tcb=y, nothing is measured, nothing is audited, no performance/memory hit is incurred.
Same is true for CONFIG_
So we are asking that you enable CONFIG_IMA, but to not enable it via the kernel command line options. IMA would boot with an empty policy and should incur no overhead. Enterprising folks who want to run IMA can enable it in grub at their option.
CONFIG_IMA=y
and possibly:
CONFIG_
CONFIG_IMA_AUDIT=y
CONFIG_
-A
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
tags: | added: kernel-da-key raring trusty |
Changed in linux (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in linux (Ubuntu Trusty): | |
status: | In Progress → Fix Committed |
tags: |
added: saucy removed: raring |
Changed in linux (Ubuntu Saucy): | |
status: | New → Triaged |
Changed in linux (Ubuntu Saucy): | |
assignee: | nobody → Chris J Arges (arges) |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Saucy): | |
assignee: | Chris J Arges (arges) → Dave Chiluk (chiluk) |
Status changed to 'Confirmed' because the bug affects multiple users.