Re: [Linux-ima-user] example policy for appraisal with read/write files (was: Re: IMA (latest patches) do not allow creation of in policy files.)

[Patrick O. <pat...@in...>]

On Wed, 2015-08-05 at 16:35 -0400, Mimi Zohar wrote:
> On Tue, 2015-08-04 at 15:17 +0200, Patrick Ohly wrote:
> 
> > My expectation is that a device protected by appraisal refuses access to
> > files that an attacker has tampered with while offline, without relying
> > on measurements and a remote service that checks these measurements.
> > Otherwise, what would be the benefit of appraisal?
> > 
> > For example, suppose there is a data file read by the init process (for
> > systemd, /lib/systemd/system/systemd-networkd.service would be a
> > specific example). I can think of two approaches how an attacker could
> > get systemd to use a modified file (for example, one which
> > invokes /bin/sh on a shell script which then runs as root).
> > 
> >      1. Edit the file, change owner from root:root to some other owner.
> >         Because appraisal is limited to files owned by certain groups,
> >         it is no longer covered by the policy and thus access is granted
> >         despite the modified content.
> 
> True, the builtin appraisal policy only verifies files owned by root.
> This policy could be replaced with a more comprehensive one similar to
> the measurement policy, where all files executed or read by root are
> appraised, or even with a more constrained policy that appraises all
> files.
> 
> You might be interested in David Safford's presentation at last year's
> LSS titled "Extending the Linux Integrity Subsystem for TCB Protection"
> -
> http://kernsec.org/wiki/index.php/Linux_Security_Summit_2014/Abstracts/Safford

The threat model described there is explicitly about attacks on a
running device, and in that context IMA appraisal starts to make a lot
more sense to me than in the offline attack scenario that I described.

This IMA "locked" mode is not yet in the upstream kernel, is it? And
without it, IMA appraisal still has to be considered ineffective (or at
least not as complete as it should be) regarding online attacks?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.