Re: [Linux-ima-user] IMA policy loading via cat

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2015-07-10 at 15:02 +0200, Patrick Ohly wrote:
> Hello!
> 
> Last time I looked at the IMA policy loading, I was baffled that the
> kernel ABI explicitly says that each write must be exactly one rule,
> while systemd used one write() for the entire policy file. At that time
> I concluded that the latter happens to work because the kernel reports
> shorts writes after each rule and systemd retries with the rest. That's
> also how it worked for cat.

Originally writing only one line at a time was supported, but that
changed with commit "6ccd045 ima: handle multiple rules per write" by
Eric Paris.   The kernel ABI documentation needs to be updated to
reflect this change.

> However, now I ran into a situation where cat does not work for a policy
> which seems to be correct (attached):
> 
> strace -s 1000 cat /etc/ima/ima-policy-floor >/sys/kernel/security/ima/policy 
> ...
> open("/etc/ima/ima-policy-floor", O_RDONLY|O_LARGEFILE) = 3
> sendfile64(1, 3, NULL, 16777216)        = 2
> sendfile64(1, 3, NULL, 16777216)        = -1 EINVAL (Invalid argument)
> read(3, "# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)\n# \n# Do not measure anything, but appraise everything\n#\n# PROC_SUPER_MAGIC\ndont_appraise fsmagic=0x9fa0\n# SYSFS_MAGIC\ndont_appraise fsmagic=0x62656572\n# DEBUGFS_MAGIC\ndont_appraise fsmagic=0x64626720\n# TMPFS_MAGIC\ndont_appraise fsmagic=0x01021994\n# RAMFS_MAGIC\ndont_appraise fsmagic=0x858458f6\n# DEVPTS_SUPER_MAGIC\ndont_appraise fsmagic=0x1cd1\n# BIFMT\ndont_appraise fsmagic=0x42494e4d\n# SECURITYFS_MAGIC\ndont_appraise fsmagic=0x73636673\n# SELINUXFS_MAGIC\ndont_appraise fsmagic=0xf97cff8c\n\n# Appraise all operations on files with floor label.\nappraise obj_user=_\n", 4096) = 673
> write(1, "# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)\n# \n# Do not measure anything, but appraise everything\n#\n# PROC_SUPER_MAGIC\ndont_appraise fsmagic=0x9fa0\n# SYSFS_MAGIC\ndont_appraise fsmagic=0x62656572\n# DEBUGFS_MAGIC\ndont_appraise fsmagic=0x64626720\n# TMPFS_MAGIC\ndont_appraise fsmagic=0x01021994\n# RAMFS_MAGIC\ndont_appraise fsmagic=0x858458f6\n# DEVPTS_SUPER_MAGIC\ndont_appraise fsmagic=0x1cd1\n# BIFMT\ndont_appraise fsmagic=0x42494e4d\n# SECURITYFS_MAGIC\ndont_appraise fsmagic=0x73636673\n# SELINUXFS_MAGIC\ndont_appraise fsmagic=0xf97cff8c\n\n# Appraise all operations on files with floor label.\nappraise obj_user=_\n", 673) = -1 EINVAL (Invalid argument)
> brk(0)                                  = 0xb77cd000
> brk(0xb77ee000)                         = 0xb77ee000
> write(2, "cat: write error: Invalid argument\n", 35cat: write error: Invalid argument
> 
> This is on a 3.19.2 kernel.
> 
> Writing each line one-by-one works:
> 
> (set -e; while read i; do echo $i >&2; echo $i; done) </etc/ima/ima-policy-floor >/sys/kernel/security/ima/policy
> 
> The shell loop writes to stderr and stdout on purpose. That way a broken
> policy rule can be identified, which is not the case when using cat.
> 
> That works for me at the moment, but I am wondering how that'll effect
> policy loading via systemd. Is there anything in the policy that breaks
> the short write mechanism?

Commit 4dfb18922d5d "ima-setup: simplify" broke systemd IMA.  Zbigniew
Jędrzejewski-Szmek partially reverted the change.  For an explanation of
the bug,  please refer to
https://bugzilla.redhat.com/show_bug.cgi?id=1226948 .

Mimi

> I tried with all comment and blank lines removed, but it still failed
> when using cat. Kernel messages in that case where:
> 
> audit: type=1805 audit(1436532900.884:2): action="dont_appraise" fsmagic="0x9fa0" res=1
> IMA: policy update failed
> audit: type=1802 audit(1436532900.892:3): pid=187 uid=0 auid=4294967295 ses=4294967295 subj=System op="policy_update" cause="failed" comm="cat" res=0
> 
> With the shell loop, I get:
> 
> audit: type=1805 audit(1436532981.698:4): action="dont_appraise" fsmagic="0x9fa0" res=1
> audit: type=1805 audit(1436532981.701:5): action="dont_appraise" fsmagic="0x62656572" res=1
> audit: type=1805 audit(1436532981.709:6): action="dont_appraise" fsmagic="0x64626720" res=1
> audit: type=1805 audit(1436532981.711:7): action="dont_appraise" fsmagic="0x01021994" res=1
> audit: type=1805 audit(1436532981.716:8): action="dont_appraise" fsmagic="0x858458f6" res=1
> audit: type=1805 audit(1436532981.720:9): action="dont_appraise" fsmagic="0x1cd1" res=1
> audit: type=1805 audit(1436532981.725:10): action="dont_appraise" fsmagic="0x42494e4d" res=1
> audit: type=1805 audit(1436532981.729:11): action="dont_appraise" fsmagic="0x73636673" res=1
> audit: type=1805 audit(1436532981.734:12): action="dont_appraise" fsmagic="0xf97cff8c" res=1
> audit: type=1805 audit(1436532981.738:13): action="appraise" obj_user="_" res=1
> IMA: policy update completed
> 
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user