Re: [Linux-ima-user] Single file measurement

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,
thanks for the reply.
> After accessing testfile.txt, does it appear in the measurement list
> this point?

Yes after I access the file, it is listed in the measurement list
ascii_runtime_measurements,
but shouldn't it be already measured on reboot then as well even though the
file has not been accessed yet?
Now not only the testFile.txt which was assigned the 'M' attribute is added
to the measurement list,
but every other file as well that is being accessed!?

> The policy needs to be loaded on reboot.  dracut and systemd have
> modules that load the IMA policy, but they're enabled by default.

This means that the policies should be loaded automatically already?

> No, it doesn't require a reboot, but it does require the file system to
> be mounted with i_version.  Otherwise, files that change aren't
> re-measured.

So if the filesystem is mounted with i_version, and labels are going to
assigned,
then the file should be measured immediately as soon as the label has been
assigned,
and not when the file is accessed the first time?

Thanks

On 28 November 2016 at 19:03, Mimi Zohar <zo...@li...> wrote:

> On Mon, 2016-11-28 at 17:03 +0100, Black Rabbit wrote:
> > Hello,
> > I'm trying to measure single files with IMA by using SMACK as described
> in
> > this post https://sourceforge.net/p/linux-ima/mailman/message/25990539/
> >
> > I've tried to get it to work on a machine running Ubuntu 16.04, kernel
> > version 4.4.0-47-generic.
> > These are the steps I have performed so far:
> >
> > - Added "smackfs /sys/fs/smackfs smackfs defaults 0 0" to /etc/fstab
> > - Added "security=smack ima_tcb" to the kernel boot parameters in
> > /etc/default/grub
> > - Reboot -> smackfs got mounted correctly in /sys/fs/smackfs
> > - Now added SMACK policy with `echo "_
> > M                       rwxa"` -> ('_', 23spaces, 'M', 23spaces, 'rwxa')
> > - Added the following content into a file
> >
> >                 # PROC_SUPER_MAGIC
> >                 dont_measure fsmagic=0x9fa0
> >                 # SYSFS_MAGIC
> >                dont_measure fsmagic=0x62656572
> >                # DEBUGFS_MAGIC
> >                dont_measure fsmagic=0x64626720
> >                # TMPFS_MAGIC
> >                dont_measure fsmagic=0x01021994
> >                # SECURITYFS_MAGIC
> >                dont_measure fsmagic=0x73636673
> >                measure func=BPRM_CHECK
> >                measure func=FILE_MMAP mask=MAY_EXEC
> >                measure func=FILE_CHECK mask=MAY_READ obj_user=M
> >
> >    and cat'ed it to  /sys/kernel/security/ima/policy
> > - Set the attribute M on a testfile via
> >            setfattr -n security.SMACK64 -v M testFile.txt
>
> After accessing testfile.txt, does it appear in the measurement list at
> this point?
>
> > Reboot the system
> > But the file "testFile.txt" did not get measured!? Do I have to do
> anything
> > else?
>
> The policy needs to be loaded on reboot.  dracut and systemd have
> modules that load the IMA policy, but they're enabled by default.
>
> > Is there a way to display the current policies that are being applied?
>
> More recent kernels have a Kconfig option for displaying the policy.
>
> > When adding labels to files that should be measured, does the system
> always
> > require a reboot, so that these files are going to be measured and
> changes
> > to the files noticed?
>
> No, it doesn't require a reboot, but it does require the file system to
> be mounted with i_version.  Otherwise, files that change aren't
> re-measured.
>
> Mimi
>
> > After the system has rebooted are the previously added policies still
> there
> > or just used for one "system restart session" and then reset to the
> default?
>
>