Menu
▾
▴
Re: [Linux-ima-user] Root can always modify xattrs
|
From: Kevin S. <kev...@gm...> - 2015-12-24 20:06:47
|
On Tue, Dec 22, 2015 at 2:05 PM, Mimi Zohar <zo...@li...> wrote: > On Tue, 2015-12-22 at 08:56 -0500, Kevin Sullivan wrote: > > Is there a way to prevent the root user from modifying the `security.ima` > > extended attribute on files? > > > > I am attempting to setup an IMA policy that only measures and appraises > > executables. I am able to do this by adding the following to my policy: > > > > measure func=BPRM_CHECK mask=MAY_EXEC > > measure func=FILE_MMAP mask=MAY_EXEC > > > > appraise func=BPRM_CHECK mask=MAY_EXEC > > appraise func=FILE_MMAP mask=MAY_EXEC > > > > dont_appraise func=FILE_CHECK > > > > However, I am noticing that the root user can always change the value of > > the `security.ima` extended attribute for any file, even when I'm not in > > `ima_appraise=fix` mode. For example, I can successfully run: > > > > # setfattr -n 'security.ima' -v 'FOO' /path/to/file > > > > Is there something that I can put in my policy to prevent the changing of > > extended attributes? I am not using EVM or SELinux, would these help? > > > > I am running a 3.10 kernel on RHEL7. > > Yes, if the xattr contains a file signature, then the file is considered > "immutable" and is prevented from being modified. Commit c68ed80 "ima: > limit file hash setting by user to fix and log modes" added this > support. Unfortunately, this commit is relatively recent and appears in > more recent kernels. > > Mimi > > Thank you for the prompt response Mimi! This is exactly what I was looking for. Just to be clear, by 'file signature', do you mean a hash or digital signature? Also, it looks like RHEL 7 doesn't have a kernel that has incorporated this commit, so I am out of luck for now. Thank you! Kevin |
