[Linux-ima-user] IMA policy loading via cat

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello!

Last time I looked at the IMA policy loading, I was baffled that the
kernel ABI explicitly says that each write must be exactly one rule,
while systemd used one write() for the entire policy file. At that time
I concluded that the latter happens to work because the kernel reports
shorts writes after each rule and systemd retries with the rest. That's
also how it worked for cat.

However, now I ran into a situation where cat does not work for a policy
which seems to be correct (attached):

strace -s 1000 cat /etc/ima/ima-policy-floor >/sys/kernel/security/ima/policy 
...
open("/etc/ima/ima-policy-floor", O_RDONLY|O_LARGEFILE) = 3
sendfile64(1, 3, NULL, 16777216)        = 2
sendfile64(1, 3, NULL, 16777216)        = -1 EINVAL (Invalid argument)
read(3, "# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)\n# \n# Do not measure anything, but appraise everything\n#\n# PROC_SUPER_MAGIC\ndont_appraise fsmagic=0x9fa0\n# SYSFS_MAGIC\ndont_appraise fsmagic=0x62656572\n# DEBUGFS_MAGIC\ndont_appraise fsmagic=0x64626720\n# TMPFS_MAGIC\ndont_appraise fsmagic=0x01021994\n# RAMFS_MAGIC\ndont_appraise fsmagic=0x858458f6\n# DEVPTS_SUPER_MAGIC\ndont_appraise fsmagic=0x1cd1\n# BIFMT\ndont_appraise fsmagic=0x42494e4d\n# SECURITYFS_MAGIC\ndont_appraise fsmagic=0x73636673\n# SELINUXFS_MAGIC\ndont_appraise fsmagic=0xf97cff8c\n\n# Appraise all operations on files with floor label.\nappraise obj_user=_\n", 4096) = 673
write(1, "# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)\n# \n# Do not measure anything, but appraise everything\n#\n# PROC_SUPER_MAGIC\ndont_appraise fsmagic=0x9fa0\n# SYSFS_MAGIC\ndont_appraise fsmagic=0x62656572\n# DEBUGFS_MAGIC\ndont_appraise fsmagic=0x64626720\n# TMPFS_MAGIC\ndont_appraise fsmagic=0x01021994\n# RAMFS_MAGIC\ndont_appraise fsmagic=0x858458f6\n# DEVPTS_SUPER_MAGIC\ndont_appraise fsmagic=0x1cd1\n# BIFMT\ndont_appraise fsmagic=0x42494e4d\n# SECURITYFS_MAGIC\ndont_appraise fsmagic=0x73636673\n# SELINUXFS_MAGIC\ndont_appraise fsmagic=0xf97cff8c\n\n# Appraise all operations on files with floor label.\nappraise obj_user=_\n", 673) = -1 EINVAL (Invalid argument)
brk(0)                                  = 0xb77cd000
brk(0xb77ee000)                         = 0xb77ee000
write(2, "cat: write error: Invalid argument\n", 35cat: write error: Invalid argument

This is on a 3.19.2 kernel.

Writing each line one-by-one works:

(set -e; while read i; do echo $i >&2; echo $i; done) </etc/ima/ima-policy-floor >/sys/kernel/security/ima/policy

The shell loop writes to stderr and stdout on purpose. That way a broken
policy rule can be identified, which is not the case when using cat.

That works for me at the moment, but I am wondering how that'll effect
policy loading via systemd. Is there anything in the policy that breaks
the short write mechanism?

I tried with all comment and blank lines removed, but it still failed
when using cat. Kernel messages in that case where:

audit: type=1805 audit(1436532900.884:2): action="dont_appraise" fsmagic="0x9fa0" res=1
IMA: policy update failed
audit: type=1802 audit(1436532900.892:3): pid=187 uid=0 auid=4294967295 ses=4294967295 subj=System op="policy_update" cause="failed" comm="cat" res=0

With the shell loop, I get:

audit: type=1805 audit(1436532981.698:4): action="dont_appraise" fsmagic="0x9fa0" res=1
audit: type=1805 audit(1436532981.701:5): action="dont_appraise" fsmagic="0x62656572" res=1
audit: type=1805 audit(1436532981.709:6): action="dont_appraise" fsmagic="0x64626720" res=1
audit: type=1805 audit(1436532981.711:7): action="dont_appraise" fsmagic="0x01021994" res=1
audit: type=1805 audit(1436532981.716:8): action="dont_appraise" fsmagic="0x858458f6" res=1
audit: type=1805 audit(1436532981.720:9): action="dont_appraise" fsmagic="0x1cd1" res=1
audit: type=1805 audit(1436532981.725:10): action="dont_appraise" fsmagic="0x42494e4d" res=1
audit: type=1805 audit(1436532981.729:11): action="dont_appraise" fsmagic="0x73636673" res=1
audit: type=1805 audit(1436532981.734:12): action="dont_appraise" fsmagic="0xf97cff8c" res=1
audit: type=1805 audit(1436532981.738:13): action="appraise" obj_user="_" res=1
IMA: policy update completed

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.