Menu
▾
▴
Re: [Linux-ima-user] Questions about using IMA/EVM feature
|
From: Kasatkin, D. <dmi...@in...> - 2011-09-13 08:42:59
|
Hi, On Tue, Sep 13, 2011 at 12:49 AM, Subodh Nijsure <nij...@gm...> wrote: > On Mon, Sep 12, 2011 at 1:35 PM, Mimi Zohar <zo...@li...> wrote: >> On Mon, 2011-09-12 at 11:50 -0700, Subodh Nijsure wrote: >>> Hello, >>> >>> I have been using repo that Dmitry pointed to few days ago to get >>> familiar with IMA/EVM feature set. >>> >>> I work for a embedded software hw/sw company and we are greatly >>> interested in this feature, and exactly what we are looking to assure >>> customers that stuff running on our device is not being compromised. >>> >>> Anyway, I have compiled the kernel as described at >>> http://linux-ima.sourceforge.net/. For testing I am running the this >>> kernel to boot a Ubuntu system under Virtualbox. >>> >>> I am running evm_enable.sh script that is part of evm-utils. >>> >>> So I booted the system with kernel parameters rootflags=i_version >>> ima_audit=1 ima_appraise=fix evm=fix and ran the script >>> evm_label_all.sh. I created a test script call /bin/myscript.sh this >>> script had following security.* info >>> (This script just does echo "Hello World". ) >>> >>> # file: bin/myscript.sh >>> security.evm=0x02be034301cffd95fd237197ddf895d1e7e09ceed2 >>> security.ima=0x01c0c5e04cf9c08652faf0247afb19c6d708ccf5ba >>> >>> Now I rebooted this machine with kernel parameters rootflags=i_version >>> ima_audit=1 ima_tcb, then I updated /bin/myscript.sh to say echo >>> "Hello World1". Now this updates the security.* info on this file as >>> shown below. >>> >>> # file: bin/myscript.sh >>> security.evm=0x02acf40095e80e65a44c50724b723dea8363f1e26ebe >>> security.ima=0x01dc29420238f18fca4e06d970eec75725a36373ee >>> >>> My keyctl show following output: >>> >>> sudo keyctl list @u >>> 4 keys in keyring: >>> 666858261: --alswrv 0 0 user: kmk >>> 461487313: --alswrv 0 0 encrypted: evm-key >>> 715895674: --alswrv 0 0 keyring: _ima >>> 793114560: --alswrv 0 0 keyring: _evm >>> >>> >>> But I expected since I booted the system with ima_tcb I shouldn't be >>> able to execute the updated myscript.sh? What am doing wrong in doing >>> the basic IMA/EVM test? >> >> Nothing went wrong. :-) It's working as designed, permitting >> 'security.ima' and 'security.evm' to be updated, assuming the original >> values are valid. Modifying either security xattr offline will prevent >> the myscript.sh from being modified online. >> >> If 'security.ima' had been a digital signature, it wouldn't have been >> updated. As a result, executing myscripts.sh would subsequently fail. >> > > Sorry if this is obvious. > > I thought Dmitry's demo last week at Linux Plumbers conference showed > that it was possible i.e. once myscript.sh has security.ima signed by > security.ema, subsequent changes to myscript.sh would prevent its > execution. > > May be I missed some of the steps from Dmitry's demo at LSS, or that > demo used some additional patch set? > > Should I be merging changes from > git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.gitt/#next-ima-appraisal > for my testing? If yes, since kernel.org is still down is there > another place where I can look at those changes? > > >>> I also see bunch of no evm keyring: -126, messages in the log, few >>> instances from the log shown below. >>> >>> [ 342.476799] type=1804 audit(1315852167.927:2686): pid=1548 uid=1000 >>> auid=4294967295 ses=4294967295 op="add_template_measure" >>> cause="hash_added" comm="bash" name="/bin/more" dev=sda1 ino=97 res=0 >>> [ 416.364434] no evm keyring: -126 >>> [ 425.707144] no evm keyring: -126 Yes, you see it before keyring is created. evm_enable.sh should be called before mounting rootfs - from initramfs. In the demo, the images uses that... I have modified mkinitrd script from MeeGo to enable IMA/EVM. 1. it creates IMA policy 2. It enables IMA/EVM (it does not use evm_enable.sh, but does like that..) Script is attached... >>> [ 425.707883] type=1804 audit(1315852251.155:2687): pid=1583 uid=1000 >>> auid=4294967295 ses=4294967295 op="add_template_measure" >>> cause="hash_added" comm="bash" name="/usr/bin/scp" dev=sda1 ino=1424 >>> res=0 >>> [ 466.291967] no evm keyring: -126 >>> [ 466.292507] type=1804 audit(1315852291.743:2688): pid=1591 uid=1000 >>> auid=4294967295 ses=4294967295 op="add_template_measure" >>> cause="hash_added" comm="bash" name="/bin/ping" dev=sda1 ino=123 res=0 >>> [ 484.024376] no evm keyring: -126 >>> [ 484.024629] type=1804 audit(1315852309.475:2689): pid=1599 uid=1000 >>> auid=4294967295 ses=4294967295 op="add_template_measure" >>> cause="hash_added" comm="scp" name="/usr/bin/ssh" dev=sda1 ino=1512 >>> res=0 >>> [ 485.860190] no evm keyring: -126 >>> >>> >>> >>> A minor correct to FAQ section of http://linux-ima.sourceforge.net/. >>> The last question refers to kernel parameter ima-appraisal=fix >>> should it not be ima_appraise=fix? >>> >>> >>> -Subodh >> >> Thanks for catching that. >> >> Mimi >> >> > > -Subodh > > ------------------------------------------------------------------------------ > Doing More with Less: The Next Generation Virtual Desktop > What are the key obstacles that have prevented many mid-market businesses > from deploying virtual desktops? How do next-generation virtual desktops > provide companies an easier-to-deploy, easier-to-manage and more affordable > virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > |
