Re: [Linux-ima-user] ima apprise and mkstemp()

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> > I faced with issue, when created by some programs files don't have
> > IMA/EVM sign (that should be), for example - git, a lot of gtk2/3
> > programs, etc.  
> 
> For a file to be labeled properly, the file must be defined in the
> policy.   Normally, the builtin policy ima_appraise_tcb is defined on
> the boot command and then replaced with a custom policy in the
> initramfs.        

Yes, I do exactly in this way. Builtin policy replaced on early boot
with custom policy in the initramfs.

> > 2) FS mounted with iversion flag.
> > 3) kernel 4.7.10, IMA/EVM-related boot options: rootflags=i_version
> > ima_appraise=fix evm=fix  
> 
> The "boot command line options "ima_appraise=fix" and "evm=fix" are
> for fixing a file system missing these xattrs.   Try removing these
> options and re-testing. 

I remove "ima_appraise=fix" and "evm=fix for testing purposes. Here are the results:

1) I have same results for regular file:
# touch /test
# getfattr -m . -d -e hex /test
  getfattr: Removing leading '/' from absolute path names
  # file: test
  security.evm=0x02bf70fed1341366c0d088b1345f2c38c6d2bcae06
  security.ima=0x0406cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
# echo "123" >> /test
# getfattr -m . -d -e hex /test
  getfattr: Removing leading '/' from absolute path names
  # file: test
  security.evm=0x0295ecb4eee8f5bca2d60c6b1864b68c5c4e4988ea
  security.ima=0x0406ea2fe56bb8c1fb5ada84963b42ed71b764a74b092d75755173ade06f2f4aada9c00d6c302e185035cbe85fdff31698bca93e8661f0cbcef52cf2ff65864fd742

No messages in audit syslog.

2) For mkstemp() test results are different:
# /a.out
# getfattr -m . -d -e hex /test-ah2mFC
(!!! still no output here, file don't have any xattrs)
# cat /test-ah2mFC
  cat: /test-ah2mFC: Permission denied
# echo "123" >> /test-ah2mFC
  bash: /test-ah2mFC: Permission denied

Audit syslog messages:
pid=7372 uid=0 auid=1000 ses=3 op="appraise_data" cause="missing-hash" comm="cat" name="/test-ah2mFC" fowner=0 dev="dm-1" ino=18961 res=0
pid=6460 uid=0 auid=1000 ses=3 op="appraise_data" cause="missing-hash" comm="bash" name="/test-ah2mFC" fowner=0 dev="dm-1" ino=18961 res=0

> > First test (create and write into regular file):
> > # touch /test
> >   or
> > # echo "123" > /test
> > # getfattr -m . -d /test  
> 
> When displaying the xattrs, it help to display them in hex ("-e hex"
> option)

Thanks for advice, Mimi.

-- 
Best regards,
Mikhail Kurinnoi