All of lore.kernel.org
 help / color / mirror / Atom feed
* [linux-ima-user]EVM does not permit changes on /proc filesystem
@ 2020-07-30 12:29 Vranceanu, Vladut
  0 siblings, 0 replies; only message in thread
From: Vranceanu, Vladut @ 2020-07-30 12:29 UTC (permalink / raw)
  To: linux-integrity

Hello,

I have encountered this problem in which I cannot do (for example) chown on the /proc filesystem, operation which fails with Operation not permitted and kernel logging: audit type=1801 audit(1596110664.495:49): pid=96959 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0. 

       root@ubuntu:/# chown root:root /proc/net/dev; dmesg | tail -1
       chown: changing ownership of '/proc/net/dev': Operation not permitted
       [10053.911258] audit: type=1801 audit(1596111210.774:52): pid=112577 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0

My ima setup script is:

       mount -n -t securityfs securityfs /sys/kernel/security

       (set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy >/sys/kernel/security/ima/policy

       ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $ima_id

       evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $evm_id

       cat /etc/keys/kmk | keyctl padd user kmk @u
       keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u

       echo "1" > /sys/kernel/security/evm

, where policy is:

       dont_appraise fsmagic=0x9fa0
       dont_appraise fsmagic=0x62656572
       dont_appraise fsmagic=0x64626720
       dont_appraise fsmagic=0x01021994
       dont_appraise fsmagic=0x858458f6
       dont_appraise fsmagic=0x1cd1
       dont_appraise fsmagic=0x42494e4d
       dont_appraise fsmagic=0x73636673
       dont_appraise fsmagic=0xf97cff8c

Kernel cmdline is:  BOOT_IMAGE=/boot/vmlinuz-5.5.10 root=UUID=40d7131c-1a9b-4d0f-9757-01a5d1819909 ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US ima_appraise=fix quiet, into which I only added ima_appraise=fix/log.
I'm using Ubuntu on 5.5.10 kernel, but I found this originally on Linux 4.9, on dev environment.

I want to mention I don't have a deep understanding on the Linux kernel or usage, in general, and I am not aware on what else might be causing(or interfering with) this behavior. My understanding is that IMA should not appraise anything(as I left out any appraisal rule out of the policy for reproducing this), but explicitly instructed not to appraise those filesystems, whereas EVM does appraise on /proc when it shouldn't. I could speculate and try trace the problem in the IMA module, but I think the sensible thing to do is to ask if this is something common(as in, I'm doing something really dumb) or at least solvable, but I could not find anything related to the /proc filesystem IMA problems. Problem is not there when EVM is not active( or is on fix mode).

Thank you,
Vlad


^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-07-30 12:29 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-30 12:29 [linux-ima-user]EVM does not permit changes on /proc filesystem Vranceanu, Vladut

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.