Menu
▾
▴
Re: [Linux-ima-user] Root can always modify xattrs
|
From: Mimi Z. <zo...@li...> - 2016-01-12 15:32:15
|
On Thu, 2015-12-24 at 15:13 -0500, Mimi Zohar wrote: > On Thu, 2015-12-24 at 15:06 -0500, Kevin Sullivan wrote: > > On Tue, Dec 22, 2015 at 2:05 PM, Mimi Zohar <zo...@li...> > > wrote: > > > > > On Tue, 2015-12-22 at 08:56 -0500, Kevin Sullivan wrote: > > > > Is there a way to prevent the root user from modifying the `security.ima` > > > > extended attribute on files? > > > > > > > > I am attempting to setup an IMA policy that only measures and appraises > > > > executables. I am able to do this by adding the following to my policy: > > > > > > > > measure func=BPRM_CHECK mask=MAY_EXEC > > > > measure func=FILE_MMAP mask=MAY_EXEC > > > > > > > > appraise func=BPRM_CHECK mask=MAY_EXEC > > > > appraise func=FILE_MMAP mask=MAY_EXEC > > > > > > > > dont_appraise func=FILE_CHECK > > > > > > > > However, I am noticing that the root user can always change the value of > > > > the `security.ima` extended attribute for any file, even when I'm not in > > > > `ima_appraise=fix` mode. For example, I can successfully run: > > > > > > > > # setfattr -n 'security.ima' -v 'FOO' /path/to/file > > > > > > > > Is there something that I can put in my policy to prevent the changing of > > > > extended attributes? I am not using EVM or SELinux, would these help? > > > > > > > > I am running a 3.10 kernel on RHEL7. > > > > > > Yes, if the xattr contains a file signature, then the file is considered > > > "immutable" and is prevented from being modified. Commit c68ed80 "ima: > > > limit file hash setting by user to fix and log modes" added this > > > support. Unfortunately, this commit is relatively recent and appears in > > > more recent kernels. > > > I stand corrected. Patrick Callaghan, a colleague, pointed it out. That patch prevents writing a hash to security.ima, not a signature. We need the ability to write file signatures in order to label the file system. I have a patch somewhere that prevents writing security.ima if it already has a signature. I need to dig it out. Mimi > > > > > > > > Thank you for the prompt response Mimi! This is exactly what I was looking > > for. > > > > Just to be clear, by 'file signature', do you mean a hash or digital > > signature? > > When security.ima is a file signature, as generated by evmctl, even root > can not modify the xattr. > > > Also, it looks like RHEL 7 doesn't have a kernel that has incorporated this > > commit, so I am out of luck for now. > > > > Thank you! > > You're welcome. > > Mimi > > > ------------------------------------------------------------------------------ > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > |
