Re: [Linux-ima-user] IMA overwrites xattr even if it has got correct signature

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2016-02-25 at 11:09 -0500, Mimi Zohar wrote:
> On Thu, 2016-02-25 at 15:29 +0200, Dmitry Rozhkov wrote:
> > On Thu, 2016-02-25 at 07:43 -0500, Mimi Zohar wrote:
> 
> > > 
> > > If security.ima isn't being written because the file is not in policy,
> > > that is a different problem.   Perhaps try writing a file that is in the
> > > IMA-appraisal policy.
> > 
> > Didn't get it. The file is in the IMA-appraisal policy.
> > 
> > AFAIU upon file closing ima_inode_setxattr()
> > calls ima_reset_appraise_flags() where IMA_DIGSIG is supposed to be
> > set. But right before setting the flag there's the condition
> > 
> > 	iint = integrity_iint_find(inode);
> > 	if (!iint)
> > 		return;
> > 
> > which is true for newly created (and never closed yet) files.
> 
> There needs to be a FILE_CHECK rule for the iint to be created for a new
> file.

The policy is essentially just:

appraise fowner=0
measure fowner=0

with some dont_appraise/measure entries earlier for some special
filesystems.

How does this have to be extended to have a "FILE_CHECK rule"?

My understanding was that adding a "func" attribute just further limits
the scope of a rule. But to be honest, the exact meaning of the various
keywords remain a black art to me. I'm aware of the syntax definition in
the kernel doc, but that document does not explain the semantic.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.