Menu
▾
▴
[Linux-ima-user] Query regarding three entries of 'init' and and two of rc.sysinit measurement list
|
From: Rishi G. <ris...@gm...> - 2014-01-15 14:12:43
|
I have used initial patches of IMA to make it available in linux kernel 2.6.18. And in kernel code i changed it to print full path of bprm filename and the measurement value is as below : 10 428d402c6e3520b6b33e567250922b1c2410c9b2 ima ffffffffffffffffffffffffffffffffffffffff boot_aggregate 10 37dd365996374e967a6568854166722750e368e0 ima* 9eb30c85c49cc1a4fa85976c707769c65d473800 /init* 10 2f6264d10a16e4bf553d5754bb53c29226d5de24 ima *eaaf413b06cd215b1b1f85c9ccb3d31c23fefa88 /init* 10 c4f74cd855200656442117bd5ae88e201f89a7f4 ima 4615536ae520d3be32f6904e71c48f938be5d1d1 /bin/insmod 10 78dc232efd5f227d38ed86b3d839601e818a13a2 ima 4f5205e3a758583268ed2de04800288de2f86b18 /bin/lvm 10 fd218befcddfa26dcadcb9b6e5a1efc1d69f1293 ima *74772a232661bb3ecb37d403416c848bcc170949 /sbin/init* 10 5f13e006f73f2fdfa4554fefd635caaa920bc6d2 ima 863e9feac2842ba6e3a3b894e863938d80638ca0 ld-2.5.so 10 750b8efa2e17ae24020c6db65bc465bd5fc57371 ima 447741e2da357845aea29481e5b602cf6c46a42d libsepol.so.1 10 5c3cb54b440602b12e34ea3228aa9aae909ec53c ima f742ff7b66fe9cfd16ded1222445c01af9eecc38 libselinux.so.1 10 163f8efc92fa077172d4d64c56b4f0b74d10ac49 ima 0f71a1a4c6fd6d475f2c540ae7cb375c0365dbb5 libc-2.5.so 10 2b2f53a6a52537316c7891ea1a688620d4516bc6 ima 8132e511b539305a307e35b33b6f393b0e4eb1cc libdl-2.5.so 10 22a299ef7d242ae4c44c24903ad5e5bf743d6a9b ima *5e3548bcf2513ce5493014b7ef258dd172e2c396 /etc/rc.d/rc.sysinit* 10 ea5ae5167282ff3b197437973f78ec64ec7f272d ima *105c6a1c05b394710a63db7e9d277cbdbe54ae76 /etc/rc.d/rc.sysinit* 10 d9d4fd02a5d9a04f6e403301754603b4cfaf02c9 ima 8ff97d65bcf5a98a68ed3141f9c93e55e607309f libtermcap.so.2.0.8 10 00fc4800026a38cf49e72e3366b219502208ba01 ima b0f481235f3ff30d474a4c549dc8e4b9fee47570 libnss_files-2.5.so 10 c067cb7e38c37a9656d5459f5510475adebe944a ima 9d1ec152eae342482b5266465d20f7ebab1326e2 /bin/hostname 10 ddb673075a27543246005469e7813cf159463d0b ima 3caf6dc36756d135a9fa95f61610eaba0eb7e0b4 /bin/uname 10 b8478267564da72236a4eda4338b585cb2907156 ima d2757b64dd0ff12211986d1ca53baafccba1a977 /bin/mount as you can see above in measurement list there are three entries of 'init' namely /init, /init and /sbin/init. All the three entries different hash values. As i had earlier said i found first and third entries of init matched with hash values of initramfs(decompressed initramfs i.e initrd) and /sbin/init. I am unable to figure out from where second entry of /init is coming having different measurement than of rest two init entries. Same is the case with two entries of /etc/rc.d/rc.sysinit out of which first entry's hash value matched with existing file in filesystem. please clarify about second etry of init and rc.sysinit. Thanks On Sun, Jan 12, 2014 at 8:56 PM, Mimi Zohar <zo...@li...>wrote: > On Sat, 2014-01-11 at 13:30 +0530, Rishi Gandhi wrote: > > Hi, > > I am using IMA in linux kernel 2.6.18 having red-hat el5. > > In my measurement list I am getting three entries in measurement list > > (asscii_measurement list). > > > > The three entries are of > > * /init > > * /init > > * /sbin/init > > out of which first entry of /init is of initramfs and third entry is of > > /sbin/init when compared with hash value. I am not able to figure out how > > second /init entry is coming in my measurement list. > > > > and the same case is with rc.sysinit in /etc/rc.sysinit > > > > Please clarify from where second entry of /init and /etc/rc/sysinit is > > coming and what it signifies? and where can i find those in source code. > > When IMA was originally upstreamed, there were two /init measurements. > One was from the initramfs, while the other was from the real root. > Subsequent patches used the bprm filename, not the short name. My > guess, without looking at which patches were back ported, would be that > the second /init was done at file_check on the real root. The > '/sbin/init' measurement was done at bprm_check. Are file hash > measurements the same for the second and last entries? > > thanks, > > Mimi > > |