Re: [Linux-ima-user] Single file measurement

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 2016-11-28 at 17:03 +0100, Black Rabbit wrote:
> Hello,
> I'm trying to measure single files with IMA by using SMACK as described in
> this post https://sourceforge.net/p/linux-ima/mailman/message/25990539/
> 
> I've tried to get it to work on a machine running Ubuntu 16.04, kernel
> version 4.4.0-47-generic.
> These are the steps I have performed so far:
> 
> - Added "smackfs /sys/fs/smackfs smackfs defaults 0 0" to /etc/fstab
> - Added "security=smack ima_tcb" to the kernel boot parameters in
> /etc/default/grub
> - Reboot -> smackfs got mounted correctly in /sys/fs/smackfs
> - Now added SMACK policy with `echo "_
> M                       rwxa"` -> ('_', 23spaces, 'M', 23spaces, 'rwxa')
> - Added the following content into a file
> 
>                 # PROC_SUPER_MAGIC
>                 dont_measure fsmagic=0x9fa0
>                 # SYSFS_MAGIC
>                dont_measure fsmagic=0x62656572
>                # DEBUGFS_MAGIC
>                dont_measure fsmagic=0x64626720
>                # TMPFS_MAGIC
>                dont_measure fsmagic=0x01021994
>                # SECURITYFS_MAGIC
>                dont_measure fsmagic=0x73636673
>                measure func=BPRM_CHECK
>                measure func=FILE_MMAP mask=MAY_EXEC
>                measure func=FILE_CHECK mask=MAY_READ obj_user=M
> 
>    and cat'ed it to  /sys/kernel/security/ima/policy
> - Set the attribute M on a testfile via
>            setfattr -n security.SMACK64 -v M testFile.txt

After accessing testfile.txt, does it appear in the measurement list at
this point?

> Reboot the system
> But the file "testFile.txt" did not get measured!? Do I have to do anything
> else?

The policy needs to be loaded on reboot.  dracut and systemd have
modules that load the IMA policy, but they're enabled by default.

> Is there a way to display the current policies that are being applied?

More recent kernels have a Kconfig option for displaying the policy.

> When adding labels to files that should be measured, does the system always
> require a reboot, so that these files are going to be measured and changes
> to the files noticed?

No, it doesn't require a reboot, but it does require the file system to
be mounted with i_version.  Otherwise, files that change aren't
re-measured.

Mimi

> After the system has rebooted are the previously added policies still there
> or just used for one "system restart session" and then reset to the default?