On Wed, Nov 15, 2017 at 4:02 PM, James Morris <james.l.morris@xxxxxxxxxx> wrote: > On Wed, 15 Nov 2017, Patrick Ohly wrote: > >> I have some experience with SMACK, but not with Apparmor. At least with >> SMACK the problem is that the LSM depends on integrity protection of >> the xattrs, but the integrity protection itself depends on the LSM, so >> there's a cycle. An attacker can much too easily make offline changes >> which then defeat whatever IMA policy the system might be using. > > Isn't this what EVM is supposed to mitigate? If the path to the loading of the LSM policy isn't fully appraised, then it can be modified offline in order to permit modification of the EVM xattrs at runtime, at which point the kernel will happily generate a new HMAC.