Re: [Linux-ima-user] Root can always modify xattrs

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2015-12-24 at 15:06 -0500, Kevin Sullivan wrote:
> On Tue, Dec 22, 2015 at 2:05 PM, Mimi Zohar <zo...@li...>
> wrote:
> 
> > On Tue, 2015-12-22 at 08:56 -0500, Kevin Sullivan wrote:
> > > Is there a way to prevent the root user from modifying the `security.ima`
> > > extended attribute on files?
> > >
> > > I am attempting to setup an IMA policy that only measures and appraises
> > > executables. I am able to do this by adding the following to my policy:
> > >
> > >     measure func=BPRM_CHECK mask=MAY_EXEC
> > >     measure func=FILE_MMAP       mask=MAY_EXEC
> > >
> > >     appraise func=BPRM_CHECK mask=MAY_EXEC
> > >     appraise func=FILE_MMAP       mask=MAY_EXEC
> > >
> > >     dont_appraise func=FILE_CHECK
> > >
> > > However, I am noticing that the root user can always change the value of
> > > the `security.ima` extended attribute for any file, even when I'm not in
> > > `ima_appraise=fix` mode. For example, I can successfully run:
> > >
> > >     # setfattr -n 'security.ima' -v 'FOO' /path/to/file
> > >
> > > Is there something that I can put in my policy to prevent the changing of
> > > extended attributes? I am not using EVM or SELinux, would these help?
> > >
> > > I am running a 3.10 kernel on RHEL7.
> >
> > Yes, if the xattr contains a file signature, then the file is considered
> > "immutable" and is prevented from being modified.   Commit c68ed80 "ima:
> > limit file hash setting by user to fix and log modes" added this
> > support.  Unfortunately, this commit is relatively recent and appears in
> > more recent kernels.
> >
> > Mimi
> >
> >
> Thank you for the prompt response Mimi! This is exactly what I was looking
> for.
> 
> Just to be clear, by 'file signature', do you mean a hash or digital
> signature?

When security.ima is a file signature, as generated by evmctl, even root
can not modify the xattr.

> Also, it looks like RHEL 7 doesn't have a kernel that has incorporated this
> commit, so I am out of luck for now.
> 
> Thank you!

You're welcome. 

Mimi