From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Friday, May 8, 2020 7:08 PM
On Fri, 2020-05-08 at 10:20 +0000, Roberto Sassu wrote:

quoted

quoted

From: Mimi Zohar [mailto:zohar@linux.ibm.com]
On Thu, 2020-05-07 at 16:47 +0000, Roberto Sassu wrote:

<snip>

quoted

quoted

quoted

quoted

the file metadata to the file data.  The IMA and EVM policies really
need to be in sync.

It would be nice, but at the moment EVM considers also files that are
not selected by the IMA policy. An example of why this is a problem is
the audit service that fails to start when it tries to adjust the

permissions

quoted

quoted

quoted

of the log files. Those files don't have security.evm because they are
not appraised by IMA, but EVM denies the operation.

No, this is a timing issue as to whether or not the builtin policy or
a custom policy has been loaded.  A custom policy could exclude the
log files based on LSM labels, but they are included in the builtin
policy.

Yes, I was referring to a custom policy. In this case, EVM will not adapt
to the custom policy but still verifies all files. If access control is done
exclusively by IMA at the time evm_verifyxattr() is called, we wouldn't
need to add security.evm to all files.

Roberto, EVM is only triggered by IMA, unless you've modified the
kernel to do otherwise.

EVM would deny xattr/attr operations even if IMA is disabled in the
kernel configuration. For example, evm_setxattr() returns the value
from evm_protect_xattr(). IMA is not involved there.

I'm not interested in a complicated solution, just one that addresses
the new EVM immutable and portable signature.  It might require EVM
HMAC, IMA differentiating between a new file and an existing file, or
it might require writing the new EVM signature last, after all the
other xattrs or metadata are updated.  Please nothing that changes
existing expectations.

Ok. Introducing the new status INTEGRITY_FAIL_IMMUTABLE, as I
mentioned in '[PATCH] ima: Allow imasig requirement to be satisfied by
EVM portable signatures' seems to have an additional benefit. We
could introduce an additional exception in evm_protect_xattr(), other
than INTEGRITY_NOXATTRS, as we know that xattr/attr update won't
cause HMAC update.

However, it won't work unless the IMA policy says that the file should
be appraised when the mknod() system call is executed. Otherwise,
integrity_iint_cache is not created for the file and the IMA_NEW_FILE
flag is not set.

Granting an exception for INTEGRITY_FAIL_IMMUTABLE solves the case
where security.evm is the first xattr set. If a protected xattr is the first to
be added, then we also have to handle the INTEGRITY_NOLABEL error.
It should be fine to add an exception for this error if the HMAC key is not
loaded.

This still does not solve all problems. INTEGRITY_NOLABEL cannot be
ignored if the HMAC key is loaded, which means that all files need to be
protected by EVM to avoid issues like the one I described (auditd).

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli