Menu
▾
▴
[Linux-ima-user] Overriding executables with overlayfs
|
From: Kiviluoto, J. J <jaa...@in...> - 2016-11-15 08:55:05
|
Hi all, I currently have IMA functioning on a Yocto based build (kernel 4.8.3) with overlayfs root filesystem as follows: - lowerdir = loop-mounted read-only squashfs with IMA signatures set build time - upperdir = directory on sync,noexec mounted ext4 partition for writing persistent configs etc. - workdir on same partition as upperdir Observations (as root user): - I cannot edit executables, e.g. /etc/init.d/networking - "Permission denied" as expected - I can erase (whiteout) executables - I can create my own (malicious) executable script, and copy it on top of an IMA-signed system binary, and execute it - "noexec" mount option doesn't seem to have any effect I get the same results with both of these two policies: https://github.com/01org/meta-intel-iot-security/blob/master/meta-integrity/data/ima_policy_appraise_all https://github.com/01org/meta-intel-iot-security/blob/master/meta-integrity/data/ima_policy_hashed I realize there may be more overlayfs issues than IMA, but is this behavior what others would expect? Can't I somehow tell IMA to strictly enforce the original signature instead of coming up with a new one for replaced files? Or am I better off seeking alternative to overlayfs setup? Many thanks, Jaakko |
