Re: [Linux-ima-user] Initramfs and IMA Appraisal

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2014-11-26 at 19:10 +0100, Christophe Fillot wrote: 
> On 11/12/2014 10:20 PM, Mimi Zohar wrote:
> 
> Hello,
> 
> > Right, a general solution would be to add an initramfs archive format,
> > which supports extended attributes, to the Linux kernel and remove the
> > don't appraise ramfs rules.  (The don't measure rule was already removed
> > in commit 08de59e Revert "ima: policy for RAMFS".)
> >
> >> The problem is that after boot, root is able to mount a tmpfs/ramfs FS
> >> and can run binaries from it.

> > For now, the simplest option is to replace the default policy from the
> > initramfs just before pivoting root.
> I tried the following approach that seems to work:

>      - Build a classic initramfs image with Debian tool (update-initramfs)
>      - Extract the initramfs image into an ext4 filesystem (or any 
> filesystem
>        that supports xattr).
>      - Compute IMA/EVM signatures for all files with evmctl, then read
>        security.ima/security.evm attributes (using getfattr) and store them
>        in a text file.

With commit "8feba3f Add support for signing a file hash", evmctl now
supports signing file hashes.  You might want to create a manifest file
containing all the files and their hashes, similar to the .deb md5sums
file, and then sign the files hashes.

find <dir> -type f -exec sha256sum {} \;  >> ./sha256sums 
cat ./sha256sums | evmctl sign_hash -a sha256 --key "${PRIVKEY}" > sha256sums.sig

>      - At boot, before reading and enabling the IMA policy, the attributes
>        are loaded from the attribute file and applied to the TMPFS. Then,
>        when the policy is loaded, no appraisal error occurs.

Interesting that the EVM signatures are valid, as the HMAC calculation
includes the i_ino.  This means that the extracted files have the same
i_ino as the original version that you signed.  I'm not sure that we can
really count on that, nor am I sure how to resolve this problem.

> I had to patch the kernel to force TMPFS use (in init/do_mounts.c) instead
> of RAMFS.

Are you using an initrd not an initramfs?  According to
Documentation/filesystems/ramfs-rootfs-initramfs.txt, "If CONFIG_TMPFS
is enabled, rootfs will use tmpfs instead of ramfs by default".

Mimi

> Here is what I used (this is clearly not state-of-the-art scripts...):
> 
> 
> Initramfs rebuild:
> 
> mkdir -p signed_initramfs/extract
> cd signed_initramfs/extract
> gunzip < ~/IMA/initrd.img | cpio -i
> 
> # Copy IMA policy and xattr fixup script
> mkdir -p etc/ima
> cp ~/IMA/ima_policy etc/ima/
> cp ~/IMA/apply_xattr.sh bin/
> 
> evmctl sign -r -s -k ~/IMA/ima.priv --imasig -t fm 
> -u"00000000-0000-0000-0000-000000000000" .
> ~/IMA/collect_xattr.sh . etc/ima/initramfs_xattr.txt
> find . | cpio --create --format='newc' | gzip -9 > ~/IMA/initrd-signed.img
> 
> 
> collect_xattr.sh:
> 
> #!/bin/bash
> 
> # Collect IMA/EVM security extended attributes and write them in
> # a text file.
> 
> if [ $# -ne 2 ]; then
>      echo "Usage: $(basename $0) <directory> <xattr_output_file>"
>      exit 1
> fi
> 
> xattr_names="security.ima security.evm"
> base_dir=$1
> output_file=$2
> 
>  > $2
> 
> for filename in $(find $base_dir); do
>      for attr in $xattr_names; do
>          val=$(getfattr -n $attr -e hex -d $filename 2>/dev/null | grep 
> $attr | sed -e "s/^${attr}=//")
>          if [ -n "$val" ]; then
>              fpath=$(echo "${filename}" | sed -e "s/^\.//")
>              echo "$fpath $attr $val" >> $2
>          fi
>      done
> done
> 
> 
> apply_xattr.sh:
> 
> #!/bin/sh
> 
> # Apply extended attributes (xattr) to a list of files.
> 
> while read filename tag value; do
>      echo "XATTR: filename=${filename}, tag=${tag}, value=${value}"
>      setfattr -n ${tag} -v ${value} ${filename}
> done
> 
> Note: The setfattr needs to be copied by an initramfs hook script.
> 
> Christophe
> 