Re: [Linux-ima-user] ima apprise and mkstemp()

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 2016-12-27 at 10:52 +0300, Mikhail Kurinnoi wrote:
> I faced with issue, when created by some programs files don't have
> IMA/EVM sign (that should be), for example - git, a lot of gtk2/3 programs, etc.

For a file to be labeled properly, the file must be defined in the
policy.   Normally, the builtin policy ima_appraise_tcb is defined on
the boot command and then replaced with a custom policy in the
initramfs.        

> Short investigation show me, that all this programs in order to prevent
> data loss, create temporary file first in the same FS with dest file, after that, 
> remove dest file and rename temporary file into dest file name.
> All this programs work with mkstemp().

> Condition:
> 1) IMA policy:
> measure func=FILE_CHECK mask=MAY_READ
> appraise func=FILE_CHECK mask=MAY_READ
> measure func=FILE_CHECK mask=MAY_WRITE
> appraise func=FILE_CHECK mask=MAY_WRITE
> measure func=FILE_CHECK mask=MAY_APPEND
> appraise func=FILE_CHECK mask=MAY_APPEND

> 2) FS mounted with iversion flag.
> 3) kernel 4.7.10, IMA/EVM-related boot options: rootflags=i_version ima_appraise=fix evm=fix

The "boot command line options "ima_appraise=fix" and "evm=fix" are for
fixing a file system missing these xattrs.   Try removing these options
and re-testing. 

> First test (create and write into regular file):
> # touch /test
>   or
> # echo "123" > /test
> # getfattr -m . -d /test

When displaying the xattrs, it help to display them in hex ("-e hex"
option)
.
Mimi

>   getfattr: Removing leading '/' from absolute path names
>   # file: test
>   security.evm=0sAqWCwYz6qoUosD2IAD7s8x3E+G5Q
>   security.ima=0sBAbPg+E1fu+4vfFUKFDWbYAH1iDkBQtXFdyD9Kkh02zpzkfQ0TxdhfKw/4MY0od+7C9juTG9R0F6gaU4Mnr5J9o+
> # echo "123" >> /test
> # getfattr -m . -d /test
>   getfattr: Removing leading '/' from absolute path names
>   # file: test
>   security.evm=0sAqB8MIEQSvsB+xs1MalIXkD2r3fq
>   security.ima=0sBAbqL+VruMH7WtqEljtC7XG3ZKdLCS11dVFzreBvL0qtqcANbDAuGFA1y+hf3/MWmLypPoZh8MvO9Szy/2WGT9dC
> 
> As you can see - everything working. No messages in audit syslog.