[Linux-ima-user] Initramfs and IMA Appraisal

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello all,

I have built a Debian test system in a VM with IMA appraisal, my goal is 
that all binaries/libraries
on the system must be signed. No user (even root) should be able to run 
an unsigned binary.

I load the IMA policy from an initramfs script and it contains these 
lines (as the default kernel policy):

[...]
# TMPFS_MAGIC = 0x01021994
dont_measure fsmagic=0x01021994
dont_appraise fsmagic=0x01021994
# RAMFS_MAGIC = 0x858458f6
dont_measure fsmagic=0x858458f6
dont_appraise fsmagic=0x858458f6
[...]

This is required because the initramfs is a cpio archive (without 
support of xattrs) loaded into a ramfs.
The problem is that after boot, root is able to mount a tmpfs/ramfs FS 
and can run binaries from it.

I would like to have some feedback / suggestions on how people handle 
this case ?

Thanks in advance,

Christophe