Re: [Linux-ima-user] Looking for definition of ima behavior "importing" signatures and hashes.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 2015-06-16 at 13:57 +0000, Curtis Veit wrote:
> I've mentioned seeing odd behavior copying hashes and signatures using rsync and tar.
> Is there documentation anywhere describing the expected behavior?
> 
> A couple examples. I just switched kernels from my own with ima-sig and hashes=sha256 built in to a standard
> Ubuntu kernel and now all hashes and signatures get changes automatically to sha1.   I guess this should be expected but was a surprise in a way. (Apparently Ubuntu is shipping a kernel that defaults to sha1)
> 
> Things that seem to affect the behavior creating the hash or signature.
> 
> IMA kernel Mode: ima ima-ng or ima-sig
> IMA hash default: sha1 sha256, sha512
> (Can anyone tell me what the kernel command line arguments are for these two items?)

The "ima_hash=" specifies the default hash algorithm used in the IMA
measurement list.   In order to prevent hashing the file once for the
measurement list and again for appraisal, the same hash algorithm is
used for both.  The hash algorithm in the xattr will also appear in the
measurement list.

> IMA can also be in a state where the xattrs are simply dropped when the copy is done.
> (Can anyone point me to an explanation of conditions that must be met for the xattr to be retained?)

When using 'cp', specify "--preserve=xattrs" to copy the security
xattrs.

> This may be related to the policy that is currently in force.  And seems to work when in either fix or
> Enforcing mode.

True, but "fix" mode should only be used for initial labeling of the
filesystem.   After that, on file close, if the file has been modified
and is in policy, the file hash will be updated.  To detect file
modification, the file system needs to be mounted with iversion.   

> There are times I think I should be in enforcing mode but hashes are dropped. I am not certain
> if it is because I am not actually in enforcing mode or because the policy I loaded is bad.
> Is there a definition for how policy settings affect the restoration
> of IMA xattrs when copying with tar or rsync?

I haven't looked at rsync.  As for tar, I opened a bug March 2014, but
never heard back -
http://lists.gnu.org/archive/html/bug-tar/2014-03/msg00029.html.  I
haven't tried this patch recently.

Mimi

> Any help on this would be profoundly appreciated!  (pointer to docs and/or the place the code implements the behavior or specific explanations would be very helpful.)