Menu
▾
▴
Re: [Linux-ima-user] Root can always modify xattrs
|
From: Mimi Z. <zo...@li...> - 2015-12-22 19:06:52
|
On Tue, 2015-12-22 at 08:56 -0500, Kevin Sullivan wrote: > Is there a way to prevent the root user from modifying the `security.ima` > extended attribute on files? > > I am attempting to setup an IMA policy that only measures and appraises > executables. I am able to do this by adding the following to my policy: > > measure func=BPRM_CHECK mask=MAY_EXEC > measure func=FILE_MMAP mask=MAY_EXEC > > appraise func=BPRM_CHECK mask=MAY_EXEC > appraise func=FILE_MMAP mask=MAY_EXEC > > dont_appraise func=FILE_CHECK > > However, I am noticing that the root user can always change the value of > the `security.ima` extended attribute for any file, even when I'm not in > `ima_appraise=fix` mode. For example, I can successfully run: > > # setfattr -n 'security.ima' -v 'FOO' /path/to/file > > Is there something that I can put in my policy to prevent the changing of > extended attributes? I am not using EVM or SELinux, would these help? > > I am running a 3.10 kernel on RHEL7. Yes, if the xattr contains a file signature, then the file is considered "immutable" and is prevented from being modified. Commit c68ed80 "ima: limit file hash setting by user to fix and log modes" added this support. Unfortunately, this commit is relatively recent and appears in more recent kernels. Mimi |
