Re: [Linux-ima-user] IMA appraisal with signature issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2015-12-23 at 17:28 +0100, Tao wrote:
> Hi,
> 
> I am trying the IMA appraisal function on a CentOS7 minimal installation 
> machine. By default, thisdistribution ships with compiled kernel 
> supports IMA functions. Kernel version is 3.10.0.
> 
> I followed the instructions on the following two web pages.
> 
> http://sourceforge.net/p/linux-ima/wiki/Home/
> 
> https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
> 
> It works fine with the measurement functions and IMA appraisal without 
> digital signatures. I activated i_version flag in the root filesystem in 
> the boot command line and change the mount option in /etc/fstab file.
> 
> Since right now I am just testing the capability of the IMA, I set a 
> custom policy only to appraise the file belonging to a user named “temp” 
> and add "ima_appraise=enforce" in the boot command line.
> 
> Then I use ‘evmctl ima_hash file’ and it works fine. I can see 
> security.ima extended attribute with ‘getfattr’ command. And after I 
> change the owner of the file to temp, I can still open it and execute it.

Does the reverse also work, meaning if a file owned by temp isn't
signed, can you execute it?

> The problem is with the ima_sign function provided by evmctl. Following 
> the instructions, I create a new keyring in the system by launching the 
> following commands:
> 
> openssl  genrsa  -outprivkey_evm.pem  1024
> 
> openssl  rsa  -pubout  -inprivkey_evm.pem  -outpubkey_evm.pem
> 
> ima_id=`keyctl  newring  _ima  @u`

Try logging in as root or "su - ", not using "sudo" to create the "_ima"
keyring.

> evmctl  import --rsa  /etc/keys/pubkey_evm.pem  $ima_id
> 
> evmctl  ima_sign  –rsa  file –v
> 
> Until this point, I can see the hash value, the keyed, sighash and 
> evm/ima signature. And I also can see the security.ima attribute is 
> becoming 274 bytes long.
> 
> Then I launch:
> 
> 
> evmctl  ima_verify  –rsa  file –v
> 
> and I can see the hash is correct and sighash is the same one shown with 
> the above command. And the verification is OK.
> 
> 
>                  But after I change the ownership of the file to user 
> ‘temp’ whose file is set to be appraised, and try to run the same 
> ima_verify again, it gives error with the following message:
> 
> [8621.067731]digsig: key not found, id:DE253B20DFD8E3

Probably "_ima" is not on root's keyring.

Mimi

> Fail to open: file
> 
> Errno: Permission denied (13)
> 
> 
>                  with 'keyctl show' command, I can see the 
> sub-attributes of keyring: _uid.0, named _ima and DE253B20DFD8E3.
> 
> 
> Can any one enlighten me what is the possible error? I followed exactly 
> the procedure described in the wiki page. Or if there is something changed?
> 
> 
> Thank you very much for your time and best wishes!