On Wed, 2017-11-15 at 16:05 -0800, Matthew Garrett wrote: > On Wed, Nov 15, 2017 at 4:02 PM, James Morris <james.l.morris@xxxxxxxxxx> wrote: > > On Wed, 15 Nov 2017, Patrick Ohly wrote: > > > >> I have some experience with SMACK, but not with Apparmor. At least with > >> SMACK the problem is that the LSM depends on integrity protection of > >> the xattrs, but the integrity protection itself depends on the LSM, so > >> there's a cycle. An attacker can much too easily make offline changes > >> which then defeat whatever IMA policy the system might be using. > > > > Isn't this what EVM is supposed to mitigate? > > If the path to the loading of the LSM policy isn't fully appraised, > then it can be modified offline in order to permit modification of the > EVM xattrs at runtime, at which point the kernel will happily generate > a new HMAC. Matthew, your explanation is a valid problem, but different than what Patrick was describing. Your description is of protecting the LSM policy itself. Patrick, correct me if I'm wrong, was describing the situation where the LSM labels are modified, causing the file being appraised not to be in the IMA policy. To solve Matthew's problem requires modifying the LSMs so that instead of userspace reading the policy, processing it and loading it into the kernel, the LSMs read the policy file directly. Mimi
