linux-ima-devel

[Linux-ima-devel] xz-compressed modules checking

[Bruno E. O. M. <brd...@re...>]

Hi, 

Recently, while playing around with IMA modules check support, I notice
that when the kernel was compiled/installed with XZ-compressed modules
the IMA kernel infra returns -EACCESS on modules initialization. Let me
detail a bit more:

I created the policy file (/etc/ima/ima-policy) with

measure func=MODULE_CHECK uid=0
(... and more, policy file is attached)

then rebooted the kernel (that was built with XZ-compressed modules) and
a bunch of modules didn't load, e.g.:

without ima-policy:
# lsmod | wc -l
32

with it:
# lsmod | wc -l
14

these 14 modules were all loaded during initram booting phase, but if I
rmmod some of them and try to modprobe (strace output):

init_module(0x55b9bcc9bba0, 17763, "") = -1 EACCES (Permission denied)

The point is that there is no violation, because the error occurs right
after kmod calls init_module() and the call follows to ima_read_file()
(kernel tree: security/integrity/ima/ima_main.c) which returns -EACCES,
since there is no 'file' structure available (init_module uses memory
region only and not file descriptor).

I notice this behavior using Fedora 26 (using SELinux as sec framework)
and up-to-date kernel, the question is: should IMA kernel mechanism
support memory regions integrity measurements, maybe following the steps
that MODULE_SIGNATURE takes (that check for module signature through its
mmap region), allowing compressed modules to be loaded? Or kernels built
with XZ/GZ-compressed modules was never meant to be supported? Is it a
bug or a possible enhancement?

Well, thank you guys in advance.

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available

Re: [Linux-ima-devel] xz-compressed modules checking

[Bruno E. O. M. <brd...@re...>]

On 11-10, Bruno E. O. Meneguele wrote:
> Hi, 
> 
> Recently, while playing around with IMA modules check support, I notice
> that when the kernel was compiled/installed with XZ-compressed modules
> the IMA kernel infra returns -EACCESS on modules initialization. Let me
> detail a bit more:
> 
> I created the policy file (/etc/ima/ima-policy) with
> 
> measure func=MODULE_CHECK uid=0
> (... and more, policy file is attached)

oh sorry, I forgot to attach (inline) the policy file. Here it is:

# PROC_SUPER_MAGIC
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_measure fsmagic=0x858458f6
# SECURITYFS_MAGIC
dont_measure fsmagic=0x73636673
# MEASUREMENTS
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=MODULE_CHECK uid=0

Thanks.

> 
> then rebooted the kernel (that was built with XZ-compressed modules) and
> a bunch of modules didn't load, e.g.:
> 
> without ima-policy:
> # lsmod | wc -l
> 32
> 
> with it:
> # lsmod | wc -l
> 14
> 
> these 14 modules were all loaded during initram booting phase, but if I
> rmmod some of them and try to modprobe (strace output):
> 
> init_module(0x55b9bcc9bba0, 17763, "") = -1 EACCES (Permission denied)
> 
> The point is that there is no violation, because the error occurs right
> after kmod calls init_module() and the call follows to ima_read_file()
> (kernel tree: security/integrity/ima/ima_main.c) which returns -EACCES,
> since there is no 'file' structure available (init_module uses memory
> region only and not file descriptor).
> 
> I notice this behavior using Fedora 26 (using SELinux as sec framework)
> and up-to-date kernel, the question is: should IMA kernel mechanism
> support memory regions integrity measurements, maybe following the steps
> that MODULE_SIGNATURE takes (that check for module signature through its
> mmap region), allowing compressed modules to be loaded? Or kernels built
> with XZ/GZ-compressed modules was never meant to be supported? Is it a
> bug or a possible enhancement?
> 
> Well, thank you guys in advance.
> 
> -- 
> bmeneg 
> PGP Key: http://bmeneg.com/pubkey.txt
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 488 bytes
> Desc: not available
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-ima-devel mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-devel

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available