Re: [Linux-ima-user] IMA appraisal with signature issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> On 11 Jan 2016, at 20:53, Mimi Zohar <zo...@li...> wrote:
> 
> On Mon, 2016-01-11 at 16:58 +0100, Baal Su wrote:
> 
>> Hi Mimi,
>> 
>> 	Thank you for your reply. 
>> 
>> 	I tried to recompile the kernel to 4.1.15, which is the latest longterm version. But the aforementioned problem still exists. 
>> 
>> 	When I run “keyctl show”, I can see the following output:
>> 		
>> 		Session Keyring
>> 		841881916   —alswrv	0	   0  keyring: _ses
>> 		1060565120 —alswrv	0 65534   \_ keyring: _uid.0
>> 		332490404   —alswrv 	0	   0		\_ keyring: _ima
>> 		452725264   —alswrv	0	   0		\_ user: 821C0DFD4C617DA
> 
> It doesn't looke like there are any keys on the _ima keyring.  Try
> listing the keys on the keyring:   keyctl list `keyctl search @u keyring
> _ima`
> 

Hi Mimi and Mark, 

There is a mistake in the previous output, the correct one is the following:

	Session Keyring
	841881916	—alswrv	0	   0  	keyring: _ses
	1060565120 	—alswrv	0 	65534	\_ keyring: _uid.0
	332490404   	—alswrv 	0	   0			\_ keyring: _ima
	452725264   	—alswrv	0	   0				\_ user: 821C0DFD4C617DA

The ‘\_user:821C0DFD4C617DA' is the sub level of the keyring _ima. When I list the keys on the keyring, I can see the following output:

	1 key in keyring:
	6747479103	—alswrv 	0	0	user: 821C0DFD4C617DA

But when I try to read this file, which belongs to another user whose files are appraised, it still shows the same error as the following.

Following Mark’s suggestion, I try to show the keys belonging to the keyring of global .ima, there is no key under it. 

> 
>> 
>> 	But when I want to read from a file under appraisal with enforce mode, it still shows:
>> 
>> 		[   358.334856] digsig: key not found, id: 821C0DFD4C617DA
>> 		cat: file: Permission denied
> 
> Only asymmetric keys should be on the IMA keyring, not user.

I follow the instructions in the wiki page <http://sourceforge.net/p/linux-ima/wiki/Home/#imaevm-keyrings-loading-the-public-keys> to load the public keys, but instead of x509 certificate, I just use the RSA key pairs. 

Is there any change in the new version of the code? Because when I tried to load the public key, if I omit the ‘—rsa’ option, it will show 'd2i_x509_fp() failed', but it is not mentioned in the wiki.

Please let me know if you have some idea why this error happens.

Thank you very much for your time and best wishes!
Tao

> 
> Mimi 
> 
>> 	Should I try with more recent kernel?
>> 
>> Thank you for your time and best wishes!
> 