Linux-Integrity Archive on
 help / color / Atom feed
* [linux-ima-user]EVM does not permit changes on /proc filesystem
@ 2020-07-30 12:29 Vranceanu, Vladut
  0 siblings, 0 replies; only message in thread
From: Vranceanu, Vladut @ 2020-07-30 12:29 UTC (permalink / raw)
  To: linux-integrity


I have encountered this problem in which I cannot do (for example) chown on the /proc filesystem, operation which fails with Operation not permitted and kernel logging: audit type=1801 audit(1596110664.495:49): pid=96959 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0. 

       root@ubuntu:/# chown root:root /proc/net/dev; dmesg | tail -1
       chown: changing ownership of '/proc/net/dev': Operation not permitted
       [10053.911258] audit: type=1801 audit(1596111210.774:52): pid=112577 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0

My ima setup script is:

       mount -n -t securityfs securityfs /sys/kernel/security

       (set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy >/sys/kernel/security/ima/policy

       ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $ima_id

       evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $evm_id

       cat /etc/keys/kmk | keyctl padd user kmk @u
       keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u

       echo "1" > /sys/kernel/security/evm

, where policy is:

       dont_appraise fsmagic=0x9fa0
       dont_appraise fsmagic=0x62656572
       dont_appraise fsmagic=0x64626720
       dont_appraise fsmagic=0x01021994
       dont_appraise fsmagic=0x858458f6
       dont_appraise fsmagic=0x1cd1
       dont_appraise fsmagic=0x42494e4d
       dont_appraise fsmagic=0x73636673
       dont_appraise fsmagic=0xf97cff8c

Kernel cmdline is:  BOOT_IMAGE=/boot/vmlinuz-5.5.10 root=UUID=40d7131c-1a9b-4d0f-9757-01a5d1819909 ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US ima_appraise=fix quiet, into which I only added ima_appraise=fix/log.
I'm using Ubuntu on 5.5.10 kernel, but I found this originally on Linux 4.9, on dev environment.

I want to mention I don't have a deep understanding on the Linux kernel or usage, in general, and I am not aware on what else might be causing(or interfering with) this behavior. My understanding is that IMA should not appraise anything(as I left out any appraisal rule out of the policy for reproducing this), but explicitly instructed not to appraise those filesystems, whereas EVM does appraise on /proc when it shouldn't. I could speculate and try trace the problem in the IMA module, but I think the sensible thing to do is to ask if this is something common(as in, I'm doing something really dumb) or at least solvable, but I could not find anything related to the /proc filesystem IMA problems. Problem is not there when EVM is not active( or is on fix mode).

Thank you,

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-30 12:29 [linux-ima-user]EVM does not permit changes on /proc filesystem Vranceanu, Vladut

Linux-Integrity Archive on

Archives are clonable:
	git clone --mirror linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ \
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone