[linux-ima-user]EVM does not permit changes on /proc filesystem

From: Vranceanu, Vladut <hidden>
Date: 2020-07-30 12:29:23 

Hello,

I have encountered this problem in which I cannot do (for example) chown on the /proc filesystem, operation which fails with Operation not permitted and kernel logging: audit type=1801 audit(1596110664.495:49): pid=96959 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0. 

       root@ubuntu:/# chown root:root /proc/net/dev; dmesg | tail -1
       chown: changing ownership of '/proc/net/dev': Operation not permitted
       [10053.911258] audit: type=1801 audit(1596111210.774:52): pid=112577 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0

My ima setup script is:

       mount -n -t securityfs securityfs /sys/kernel/security

       (set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy >/sys/kernel/security/ima/policy

       ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $ima_id

       evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $evm_id

       cat /etc/keys/kmk | keyctl padd user kmk @u
       keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u

       echo "1" > /sys/kernel/security/evm

, where policy is:

       dont_appraise fsmagic=0x9fa0
       dont_appraise fsmagic=0x62656572
       dont_appraise fsmagic=0x64626720
       dont_appraise fsmagic=0x01021994
       dont_appraise fsmagic=0x858458f6
       dont_appraise fsmagic=0x1cd1
       dont_appraise fsmagic=0x42494e4d
       dont_appraise fsmagic=0x73636673
       dont_appraise fsmagic=0xf97cff8c

Kernel cmdline is:  BOOT_IMAGE=/boot/vmlinuz-5.5.10 root=UUID=40d7131c-1a9b-4d0f-9757-01a5d1819909 ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US ima_appraise=fix quiet, into which I only added ima_appraise=fix/log.
I'm using Ubuntu on 5.5.10 kernel, but I found this originally on Linux 4.9, on dev environment.

I want to mention I don't have a deep understanding on the Linux kernel or usage, in general, and I am not aware on what else might be causing(or interfering with) this behavior. My understanding is that IMA should not appraise anything(as I left out any appraisal rule out of the policy for reproducing this), but explicitly instructed not to appraise those filesystems, whereas EVM does appraise on /proc when it shouldn't. I could speculate and try trace the problem in the IMA module, but I think the sensible thing to do is to ask if this is something common(as in, I'm doing something really dumb) or at least solvable, but I could not find anything related to the /proc filesystem IMA problems. Problem is not there when EVM is not active( or is on fix mode).

Thank you,
Vlad
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help