Re: [Linux-ima-user] Initramfs and IMA Appraisal

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 11/12/2014 10:20 PM, Mimi Zohar wrote:

Hello,

> Right, a general solution would be to add an initramfs archive format,
> which supports extended attributes, to the Linux kernel and remove the
> don't appraise ramfs rules.  (The don't measure rule was already removed
> in commit 08de59e Revert "ima: policy for RAMFS".)
>
>> The problem is that after boot, root is able to mount a tmpfs/ramfs FS
>> and can run binaries from it.
> For now, the simplest option is to replace the default policy from the
> initramfs just before pivoting root.
>
I tried the following approach that seems to work:

     - Build a classic initramfs image with Debian tool (update-initramfs)
     - Extract the initramfs image into an ext4 filesystem (or any 
filesystem
       that supports xattr).
     - Compute IMA/EVM signatures for all files with evmctl, then read
       security.ima/security.evm attributes (using getfattr) and store them
       in a text file.
     - At boot, before reading and enabling the IMA policy, the attributes
       are loaded from the attribute file and applied to the TMPFS. Then,
       when the policy is loaded, no appraisal error occurs.

I had to patch the kernel to force TMPFS use (in init/do_mounts.c) instead
of RAMFS.

Here is what I used (this is clearly not state-of-the-art scripts...):

Initramfs rebuild:

mkdir -p signed_initramfs/extract
cd signed_initramfs/extract
gunzip < ~/IMA/initrd.img | cpio -i

# Copy IMA policy and xattr fixup script
mkdir -p etc/ima
cp ~/IMA/ima_policy etc/ima/
cp ~/IMA/apply_xattr.sh bin/

evmctl sign -r -s -k ~/IMA/ima.priv --imasig -t fm 
-u"00000000-0000-0000-0000-000000000000" .
~/IMA/collect_xattr.sh . etc/ima/initramfs_xattr.txt
find . | cpio --create --format='newc' | gzip -9 > ~/IMA/initrd-signed.img

collect_xattr.sh:

#!/bin/bash

# Collect IMA/EVM security extended attributes and write them in
# a text file.

if [ $# -ne 2 ]; then
     echo "Usage: $(basename $0) <directory> <xattr_output_file>"
     exit 1
fi

xattr_names="security.ima security.evm"
base_dir=$1
output_file=$2

 > $2

for filename in $(find $base_dir); do
     for attr in $xattr_names; do
         val=$(getfattr -n $attr -e hex -d $filename 2>/dev/null | grep 
$attr | sed -e "s/^${attr}=//")
         if [ -n "$val" ]; then
             fpath=$(echo "${filename}" | sed -e "s/^\.//")
             echo "$fpath $attr $val" >> $2
         fi
     done
done

apply_xattr.sh:

#!/bin/sh

# Apply extended attributes (xattr) to a list of files.

while read filename tag value; do
     echo "XATTR: filename=${filename}, tag=${tag}, value=${value}"
     setfattr -n ${tag} -v ${value} ${filename}
done

Note: The setfattr needs to be copied by an initramfs hook script.

Christophe