[linux-ima-user]EVM does not permit changes on /proc filesystem

From: "Vranceanu, Vladut" <Vladut.Vranceanu@harman.com>
To: "linux-integrity@vger.kernel.org" <linux-integrity@vger.kernel.org>
Subject: [linux-ima-user]EVM does not permit changes on /proc filesystem
Date: Thu, 30 Jul 2020 12:29:14 +0000	[thread overview]
Message-ID: <27b55b6ae1c347c7a29aefbf62e32e7e@HIMDWSMB07.ad.harman.com> (raw)

Hello,

I have encountered this problem in which I cannot do (for example) chown on the /proc filesystem, operation which fails with Operation not permitted and kernel logging: audit type=1801 audit(1596110664.495:49): pid=96959 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0. 

       root@ubuntu:/# chown root:root /proc/net/dev; dmesg | tail -1
       chown: changing ownership of '/proc/net/dev': Operation not permitted
       [10053.911258] audit: type=1801 audit(1596111210.774:52): pid=112577 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0

My ima setup script is:

       mount -n -t securityfs securityfs /sys/kernel/security

       (set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy >/sys/kernel/security/ima/policy

       ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $ima_id

       evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $evm_id

       cat /etc/keys/kmk | keyctl padd user kmk @u
       keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u

       echo "1" > /sys/kernel/security/evm

, where policy is:

       dont_appraise fsmagic=0x9fa0
       dont_appraise fsmagic=0x62656572
       dont_appraise fsmagic=0x64626720
       dont_appraise fsmagic=0x01021994
       dont_appraise fsmagic=0x858458f6
       dont_appraise fsmagic=0x1cd1
       dont_appraise fsmagic=0x42494e4d
       dont_appraise fsmagic=0x73636673
       dont_appraise fsmagic=0xf97cff8c

Kernel cmdline is:  BOOT_IMAGE=/boot/vmlinuz-5.5.10 root=UUID=40d7131c-1a9b-4d0f-9757-01a5d1819909 ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US ima_appraise=fix quiet, into which I only added ima_appraise=fix/log.
I'm using Ubuntu on 5.5.10 kernel, but I found this originally on Linux 4.9, on dev environment.

I want to mention I don't have a deep understanding on the Linux kernel or usage, in general, and I am not aware on what else might be causing(or interfering with) this behavior. My understanding is that IMA should not appraise anything(as I left out any appraisal rule out of the policy for reproducing this), but explicitly instructed not to appraise those filesystems, whereas EVM does appraise on /proc when it shouldn't. I could speculate and try trace the problem in the IMA module, but I think the sensible thing to do is to ask if this is something common(as in, I'm doing something really dumb) or at least solvable, but I could not find anything related to the /proc filesystem IMA problems. Problem is not there when EVM is not active( or is on fix mode).

Thank you,
Vlad