Re: [Linux-ima-user] ima apprise and mkstemp()

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 2016-12-27 at 17:21 +0300, Mikhail Kurinnoi wrote:
> > > I faced with issue, when created by some programs files don't have
> > > IMA/EVM sign (that should be), for example - git, a lot of gtk2/3
> > > programs, etc.  
> > 
> > For a file to be labeled properly, the file must be defined in the
> > policy.   Normally, the builtin policy ima_appraise_tcb is defined on
> > the boot command and then replaced with a custom policy in the
> > initramfs.        
> 
> Yes, I do exactly in this way. Builtin policy replaced on early boot
> with custom policy in the initramfs.
> 
> 
> > > 2) FS mounted with iversion flag.
> > > 3) kernel 4.7.10, IMA/EVM-related boot options: rootflags=i_version
> > > ima_appraise=fix evm=fix  
> > 
> > The "boot command line options "ima_appraise=fix" and "evm=fix" are
> > for fixing a file system missing these xattrs.   Try removing these
> > options and re-testing. 
> 
> I remove "ima_appraise=fix" and "evm=fix for testing purposes. Here are the results:
> 
> 1) I have same results for regular file:
> # touch /test
> # getfattr -m . -d -e hex /test
>   getfattr: Removing leading '/' from absolute path names
>   # file: test
>   security.evm=0x02bf70fed1341366c0d088b1345f2c38c6d2bcae06
>   security.ima=0x0406cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
> # echo "123" >> /test
> # getfattr -m . -d -e hex /test
>   getfattr: Removing leading '/' from absolute path names
>   # file: test
>   security.evm=0x0295ecb4eee8f5bca2d60c6b1864b68c5c4e4988ea
>   security.ima=0x0406ea2fe56bb8c1fb5ada84963b42ed71b764a74b092d75755173ade06f2f4aada9c00d6c302e185035cbe85fdff31698bca93e8661f0cbcef52cf2ff65864fd742
> 
> No messages in audit syslog.
> 
> 
> 2) For mkstemp() test results are different:
> # /a.out
> # getfattr -m . -d -e hex /test-ah2mFC
> (!!! still no output here, file don't have any xattrs)

Try running your test program as root, before you install your custom
policy.

Mimi

> # cat /test-ah2mFC
>   cat: /test-ah2mFC: Permission denied
> # echo "123" >> /test-ah2mFC
>   bash: /test-ah2mFC: Permission denied
> 
> Audit syslog messages:
> pid=7372 uid=0 auid=1000 ses=3 op="appraise_data" cause="missing-hash" comm="cat" name="/test-ah2mFC" fowner=0 dev="dm-1" ino=18961 res=0
> pid=6460 uid=0 auid=1000 ses=3 op="appraise_data" cause="missing-hash" comm="bash" name="/test-ah2mFC" fowner=0 dev="dm-1" ino=18961 res=0
> 
> 
> 
> > > First test (create and write into regular file):
> > > # touch /test
> > >   or
> > > # echo "123" > /test
> > > # getfattr -m . -d /test  
> > 
> > When displaying the xattrs, it help to display them in hex ("-e hex"
> > option)
> 
> Thanks for advice, Mimi.
> 
> 