IMA appraisal against xz-compressed modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, 

recently, while playing around with IMA modules check support, I notice
that when the kernel was compiled/installed with XZ-compressed modules
the IMA kernel infra returns -EACCESS on modules initialization. Let me
detail a bit more:

I created the policy file (/etc/ima/ima-policy) with

measure func=MODULE_CHECK uid=0
(... and more, policy file is attached)

then rebooted the kernel (that was built with XZ-compressed modules) and
a bunch of modules didn't load, e.g.:

without ima-policy:
# lsmod | wc -l
32

with it:
# lsmod | wc -l
14

these 14 modules were all loaded during initram booting phase, but if I
rmmod some of them and try to modprobe (strace output):

init_module(0x55b9bcc9bba0, 17763, "") = -1 EACCES (Permission denied)

The point is that there is no violation, because the error occurs right
after kmod calls init_module() and the call follows to ima_read_file()
(kernel tree: security/integrity/ima/ima_main.c) which returns -EACCES,
since there is no 'file' structure available (init_module uses memory
region only and not file descriptor).

I notice this behavior using Fedora 26 (using SELinux as sec framework)
and up-to-date kernel, the question is: should IMA kernel mechanism
support memory regions integrity measurements, maybe following the steps
that MODULE_SIGNATURE takes (that check for module signature through its
mmap region), allowing compressed modules to be loaded? Or kernels built
with XZ/GZ-compressed modules was never meant to be supported? Is it a
bug or a possible enhancement?

Well, thank you guys in advance.

/etc/ima/ima-policy:

# PROC_SUPER_MAGIC
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_measure fsmagic=0x858458f6
# SECURITYFS_MAGIC
dont_measure fsmagic=0x73636673
# MEASUREMENTS
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=MODULE_CHECK uid=0

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

Attachment: signature.asc
Description: PGP signature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux