Menu
▾
▴
Re: [Linux-ima-user] ima apprise and mkstemp()
|
From: Mikhail K. <vie...@vi...> - 2016-12-27 15:56:30
|
> > > > 2) FS mounted with iversion flag. > > > > 3) kernel 4.7.10, IMA/EVM-related boot options: > > > > rootflags=i_version ima_appraise=fix evm=fix > > > > > > The "boot command line options "ima_appraise=fix" and "evm=fix" > > > are for fixing a file system missing these xattrs. Try removing > > > these options and re-testing. > > > > I remove "ima_appraise=fix" and "evm=fix for testing purposes. Here > > are the results: > > > > 1) I have same results for regular file: > > # touch /test > > # getfattr -m . -d -e hex /test > > getfattr: Removing leading '/' from absolute path names > > # file: test > > security.evm=0x02bf70fed1341366c0d088b1345f2c38c6d2bcae06 > > security.ima=0x0406cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e > > # echo "123" >> /test > > # getfattr -m . -d -e hex /test > > getfattr: Removing leading '/' from absolute path names > > # file: test > > security.evm=0x0295ecb4eee8f5bca2d60c6b1864b68c5c4e4988ea > > security.ima=0x0406ea2fe56bb8c1fb5ada84963b42ed71b764a74b092d75755173ade06f2f4aada9c00d6c302e185035cbe85fdff31698bca93e8661f0cbcef52cf2ff65864fd742 > > > > No messages in audit syslog. > > > > > > 2) For mkstemp() test results are different: > > # /a.out > > # getfattr -m . -d -e hex /test-ah2mFC > > (!!! still no output here, file don't have any xattrs) > > Try running your test program as root, before you install your custom > policy. Mimi, thanks a lot! I did as you advised, and then compared my custom policy with default carefully. The issue was this policy lines: appraise func=FILE_CHECK mask=MAY_READ appraise func=FILE_CHECK mask=MAY_WRITE appraise func=FILE_CHECK mask=MAY_APPEND they don't cover mkstemp() work, in the same time: appraise will do it (default policy also use appraise without func/mask). I am a bit confused. I was sure, thus 3 lines above will cover all works with regular files. Looks like I still have a mess in my head about appraise/measure policy flags. Should read manuals more carefully next time. -- Best regards, Mikhail Kurinnoi |
