Menu
▾
▴
Re: [Linux-ima-user] IMA (latest patches) do not allow creation of in policy files.
|
From: Curtis V. <cu...@vp...> - 2015-06-22 13:59:09
|
So what method may be used to create a new file with a valid hash? Seems like there are valid use cases for this. -----Original Message----- From: Mimi Zohar [mailto:zo...@li...] Sent: Monday, June 22, 2015 7:47 AM To: Curtis Veit Cc: lin...@li... Subject: Re: [Linux-ima-user] IMA (latest patches) do not allow creation of in policy files. On Fri, 2015-06-19 at 17:10 -0600, Curtis Veit wrote: > Background: > I have taken the latest IMA patches from linux integrity and applied > them to a 4.0.3 kernel source and built. ( also includes mu gid patch) > Things seem to work pretty much as expected: > - cannot write the ima hash from user space > - more methods of writing files (that are already "in policy") do > seem to update hashes on file close. (Some of the previous strange > behavior I noticed is gone - probably related to the rw patch This change affects the ima measurement policy, not the appraisal policy. > Mimi mentioned. > works: vim, emacs, cat >> foo > So this is good progress... > > > The Problem: > But I cannot seem to figure out how to create a usable file that is > owned by root. This may or may not be related to some specific > examples of failure: Lets take this one step at a time. > cannot change passwords ( only tested as root) > shadow hash does not get updated and becomes unreadable. > df does not work. It cannot read the table that it tries > to access. > emacs newfile.txt # creates an unreadable file > vim newfile2.txt # ditto > cat "Hello World" > newfile3.txt # ditto Instead of 'cat' try 'echo'. If the file is in policy, then the file should have a security.ima xattr. Once it is labeled with a valid hash, any modifications to the file should result in the hash being updated. In each of the cases above, after creating the file, check to see if the security.ima xattr was created. Compare the xattr against the result of shaXXXsum <fn>. reminder: If the xattr was not created, then it was not in policy. > I suspect that the failure with passwd and df are related to the new > file creation issue. But I'm not sure if their implementations are > essentially making a new file. Only files in policy that already have valid security.ima xattrs can be modified. Mimi |
