> From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > Sent: Friday, May 8, 2020 7:08 PM > On Fri, 2020-05-08 at 10:20 +0000, Roberto Sassu wrote: > > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > > > On Thu, 2020-05-07 at 16:47 +0000, Roberto Sassu wrote: > > <snip> > > > > > > the file metadata to the file data. The IMA and EVM policies really > > > > > need to be in sync. > > > > > > > > It would be nice, but at the moment EVM considers also files that are > > > > not selected by the IMA policy. An example of why this is a problem is > > > > the audit service that fails to start when it tries to adjust the > permissions > > > > of the log files. Those files don't have security.evm because they are > > > > not appraised by IMA, but EVM denies the operation. > > > > > > No, this is a timing issue as to whether or not the builtin policy or > > > a custom policy has been loaded. A custom policy could exclude the > > > log files based on LSM labels, but they are included in the builtin > > > policy. > > > > Yes, I was referring to a custom policy. In this case, EVM will not adapt > > to the custom policy but still verifies all files. If access control is done > > exclusively by IMA at the time evm_verifyxattr() is called, we wouldn't > > need to add security.evm to all files. > > Roberto, EVM is only triggered by IMA, unless you've modified the > kernel to do otherwise. EVM would deny xattr/attr operations even if IMA is disabled in the kernel configuration. For example, evm_setxattr() returns the value from evm_protect_xattr(). IMA is not involved there. > I'm not interested in a complicated solution, just one that addresses > the new EVM immutable and portable signature. It might require EVM > HMAC, IMA differentiating between a new file and an existing file, or > it might require writing the new EVM signature last, after all the > other xattrs or metadata are updated. Please nothing that changes > existing expectations. Ok. Introducing the new status INTEGRITY_FAIL_IMMUTABLE, as I mentioned in '[PATCH] ima: Allow imasig requirement to be satisfied by EVM portable signatures' seems to have an additional benefit. We could introduce an additional exception in evm_protect_xattr(), other than INTEGRITY_NOXATTRS, as we know that xattr/attr update won't cause HMAC update. However, it won't work unless the IMA policy says that the file should be appraised when the mknod() system call is executed. Otherwise, integrity_iint_cache is not created for the file and the IMA_NEW_FILE flag is not set. Granting an exception for INTEGRITY_FAIL_IMMUTABLE solves the case where security.evm is the first xattr set. If a protected xattr is the first to be added, then we also have to handle the INTEGRITY_NOLABEL error. It should be fine to add an exception for this error if the HMAC key is not loaded. This still does not solve all problems. INTEGRITY_NOLABEL cannot be ignored if the HMAC key is loaded, which means that all files need to be protected by EVM to avoid issues like the one I described (auditd). Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli
