Menu
▾
▴
Re: [Linux-ima-user] looking for suggestions on rule use
|
From: Mimi Z. <zo...@li...> - 2015-07-14 13:53:47
|
On Tue, 2015-07-14 at 15:44 +0200, Patrick Ohly wrote: > Hello! > > I'm currently re-reading this mail thread because I am trying to achieve > something similar using the Yocto/OpenEmbedded build system (see > https://github.com/01org/meta-intel-iot-security/tree/master/meta-integrity). > > One comment caught my eye: > > On Wed, 2015-06-10 at 09:22 -0400, Mimi Zohar wrote: > > On Tue, 2015-06-09 at 18:59 -0600, Curtis Veit wrote: > > > I try to avoid issues with log (and other) files by mounting var on a > > > separate filesystem and doing: > > > dont_measure fowner=0 fsuuid=xxxxx...(uuid for var fs) > > > dont_appraise fowner=0 fsuuid=xxxxx... > > > > Ok. Another option is to use LSM labels. > > I tried that using Smack labels > (https://github.com/pohly/meta-intel-iot-security/tree/ima-floor-policy). I depends on read-only files having the special "_" label, while read/write files are typically "System" (at least in our setup). > > Then the only appraisal rule is: > > # Appraise all operations on files with floor label. > appraise obj_user=_ > > But IMHO such a system is not really secure, because an attacker could > simply turn a protected file (label _) into an unprotected one (label > System), either at runtime or offline. System services then wouldn't > notice a difference (they can read System files just like _ files) and > use a potentially modified file. > > Do I miss something here or is my conclusion correct? On a running system with Smack enabled, Smack should be limiting who can modify security xattrs. For offline protection, I assume they're using EVM to protect file metadata from being modified. Mimi |
