Re: [Linux-ima-user] example policy for appraisal with read/write files (was: Re: IMA (latest patches) do not allow creation of in policy files.)

[Mimi Z. <zo...@li...>]

On Tue, 2015-08-04 at 15:17 +0200, Patrick Ohly wrote:

> My expectation is that a device protected by appraisal refuses access to
> files that an attacker has tampered with while offline, without relying
> on measurements and a remote service that checks these measurements.
> Otherwise, what would be the benefit of appraisal?
> 
> For example, suppose there is a data file read by the init process (for
> systemd, /lib/systemd/system/systemd-networkd.service would be a
> specific example). I can think of two approaches how an attacker could
> get systemd to use a modified file (for example, one which
> invokes /bin/sh on a shell script which then runs as root).
> 
>      1. Edit the file, change owner from root:root to some other owner.
>         Because appraisal is limited to files owned by certain groups,
>         it is no longer covered by the policy and thus access is granted
>         despite the modified content.

True, the builtin appraisal policy only verifies files owned by root.
This policy could be replaced with a more comprehensive one similar to
the measurement policy, where all files executed or read by root are
appraised, or even with a more constrained policy that appraises all
files.

You might be interested in David Safford's presentation at last year's
LSS titled "Extending the Linux Integrity Subsystem for TCB Protection"
-
http://kernsec.org/wiki/index.php/Linux_Security_Summit_2014/Abstracts/Safford

Mimi

>      2. Replace the file with a symlink to a file on the special
>         partitions, modify it there.
> 
> Symlinks are explicitly allowed by systemd, and I also don't expect that
> it cares about file ownership, so I don't see how such an attack would
> be prevented. Do I miss anything?