Menu
▾
▴
Re: [Linux-ima-user] IMA overwrites xattr even if it has got correct signature
|
From: Dmitry R. <dmi...@li...> - 2016-02-26 12:53:14
|
On Fri, 2016-02-26 at 06:48 -0500, Mimi Zohar wrote: > On Fri, 2016-02-26 at 08:52 +0100, Patrick Ohly wrote: > > On Thu, 2016-02-25 at 11:09 -0500, Mimi Zohar wrote: > > > On Thu, 2016-02-25 at 15:29 +0200, Dmitry Rozhkov wrote: > > > > On Thu, 2016-02-25 at 07:43 -0500, Mimi Zohar wrote: > > > > > > > > > > > > > If security.ima isn't being written because the file is not > > > > > in policy, > > > > > that is a different problem. Perhaps try writing a file > > > > > that is in the > > > > > IMA-appraisal policy. > > > > > > > > Didn't get it. The file is in the IMA-appraisal policy. > > > > > > > > AFAIU upon file closing ima_inode_setxattr() > > > > calls ima_reset_appraise_flags() where IMA_DIGSIG is supposed > > > > to be > > > > set. But right before setting the flag there's the condition > > > > > > > > iint = integrity_iint_find(inode); > > > > if (!iint) > > > > return; > > > > > > > > which is true for newly created (and never closed yet) files. > > > > > > There needs to be a FILE_CHECK rule for the iint to be created > > > for a new > > > file. > > > > The policy is essentially just: > > > > appraise fowner=0 > > measure fowner=0 > > > > with some dont_appraise/measure entries earlier for some special > > filesystems. > > This policy measures and appraises everything owned by root. So as > long > as the file is owned by root, the file will be in the file open > (FILE_CHECK) policy. > In other words with the policy like appraise fowner=0 measure fowner=0 the FILE_CHECK rule is implied for all files and iint is guarantied to be created. Then something else is missing for IMA_DIGSIG to be set. I run out of ideas on what it could be. BR, Dima |
