Menu
▾
▴
Re: [Linux-ima-user] Questions about using IMA/EVM feature
|
From: Subodh N. <nij...@gm...> - 2011-09-12 21:49:59
|
On Mon, Sep 12, 2011 at 1:35 PM, Mimi Zohar <zo...@li...> wrote: > On Mon, 2011-09-12 at 11:50 -0700, Subodh Nijsure wrote: >> Hello, >> >> I have been using repo that Dmitry pointed to few days ago to get >> familiar with IMA/EVM feature set. >> >> I work for a embedded software hw/sw company and we are greatly >> interested in this feature, and exactly what we are looking to assure >> customers that stuff running on our device is not being compromised. >> >> Anyway, I have compiled the kernel as described at >> http://linux-ima.sourceforge.net/. For testing I am running the this >> kernel to boot a Ubuntu system under Virtualbox. >> >> I am running evm_enable.sh script that is part of evm-utils. >> >> So I booted the system with kernel parameters rootflags=i_version >> ima_audit=1 ima_appraise=fix evm=fix and ran the script >> evm_label_all.sh. I created a test script call /bin/myscript.sh this >> script had following security.* info >> (This script just does echo "Hello World". ) >> >> # file: bin/myscript.sh >> security.evm=0x02be034301cffd95fd237197ddf895d1e7e09ceed2 >> security.ima=0x01c0c5e04cf9c08652faf0247afb19c6d708ccf5ba >> >> Now I rebooted this machine with kernel parameters rootflags=i_version >> ima_audit=1 ima_tcb, then I updated /bin/myscript.sh to say echo >> "Hello World1". Now this updates the security.* info on this file as >> shown below. >> >> # file: bin/myscript.sh >> security.evm=0x02acf40095e80e65a44c50724b723dea8363f1e26ebe >> security.ima=0x01dc29420238f18fca4e06d970eec75725a36373ee >> >> My keyctl show following output: >> >> sudo keyctl list @u >> 4 keys in keyring: >> 666858261: --alswrv 0 0 user: kmk >> 461487313: --alswrv 0 0 encrypted: evm-key >> 715895674: --alswrv 0 0 keyring: _ima >> 793114560: --alswrv 0 0 keyring: _evm >> >> >> But I expected since I booted the system with ima_tcb I shouldn't be >> able to execute the updated myscript.sh? What am doing wrong in doing >> the basic IMA/EVM test? > > Nothing went wrong. :-) It's working as designed, permitting > 'security.ima' and 'security.evm' to be updated, assuming the original > values are valid. Modifying either security xattr offline will prevent > the myscript.sh from being modified online. > > If 'security.ima' had been a digital signature, it wouldn't have been > updated. As a result, executing myscripts.sh would subsequently fail. > Sorry if this is obvious. I thought Dmitry's demo last week at Linux Plumbers conference showed that it was possible i.e. once myscript.sh has security.ima signed by security.ema, subsequent changes to myscript.sh would prevent its execution. May be I missed some of the steps from Dmitry's demo at LSS, or that demo used some additional patch set? Should I be merging changes from git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.gitt/#next-ima-appraisal for my testing? If yes, since kernel.org is still down is there another place where I can look at those changes? >> I also see bunch of no evm keyring: -126, messages in the log, few >> instances from the log shown below. >> >> [ 342.476799] type=1804 audit(1315852167.927:2686): pid=1548 uid=1000 >> auid=4294967295 ses=4294967295 op="add_template_measure" >> cause="hash_added" comm="bash" name="/bin/more" dev=sda1 ino=97 res=0 >> [ 416.364434] no evm keyring: -126 >> [ 425.707144] no evm keyring: -126 >> [ 425.707883] type=1804 audit(1315852251.155:2687): pid=1583 uid=1000 >> auid=4294967295 ses=4294967295 op="add_template_measure" >> cause="hash_added" comm="bash" name="/usr/bin/scp" dev=sda1 ino=1424 >> res=0 >> [ 466.291967] no evm keyring: -126 >> [ 466.292507] type=1804 audit(1315852291.743:2688): pid=1591 uid=1000 >> auid=4294967295 ses=4294967295 op="add_template_measure" >> cause="hash_added" comm="bash" name="/bin/ping" dev=sda1 ino=123 res=0 >> [ 484.024376] no evm keyring: -126 >> [ 484.024629] type=1804 audit(1315852309.475:2689): pid=1599 uid=1000 >> auid=4294967295 ses=4294967295 op="add_template_measure" >> cause="hash_added" comm="scp" name="/usr/bin/ssh" dev=sda1 ino=1512 >> res=0 >> [ 485.860190] no evm keyring: -126 >> >> >> >> A minor correct to FAQ section of http://linux-ima.sourceforge.net/. >> The last question refers to kernel parameter ima-appraisal=fix >> should it not be ima_appraise=fix? >> >> >> -Subodh > > Thanks for catching that. > > Mimi > > -Subodh |
