On 11/16/2017 3:13 AM, Mimi Zohar wrote:
On Wed, 2017-11-15 at 16:05 -0800, Matthew Garrett wrote:
On Wed, Nov 15, 2017 at 4:02 PM, James Morris <james.l.morris@xxxxxxxxxx> wrote:
On Wed, 15 Nov 2017, Patrick Ohly wrote:
I have some experience with SMACK, but not with Apparmor. At least with
SMACK the problem is that the LSM depends on integrity protection of
the xattrs, but the integrity protection itself depends on the LSM, so
there's a cycle. An attacker can much too easily make offline changes
which then defeat whatever IMA policy the system might be using.
Isn't this what EVM is supposed to mitigate?
With the default appraisal policy, it can't. IMA determines if a file
must be appraised depending on metadata whose integrity has not been
verified yet. A root process is able to load appraised files with
i_uid = 0 and files with missing/invalid HMAC and i_uid != 0, at the
same time.
Me and Matthew are considering policies based on subject criteria rather
than object criteria. The integrity of a process can be guaranteed
because everything that process reads or executes will be appraised.
If the path to the loading of the LSM policy isn't fully appraised,
then it can be modified offline in order to permit modification of the
EVM xattrs at runtime, at which point the kernel will happily generate
a new HMAC.
Matthew, your explanation is a valid problem, but different than what
Patrick was describing. Your description is of protecting the LSM
policy itself. Patrick, correct me if I'm wrong, was describing the
situation where the LSM labels are modified, causing the file being
appraised not to be in the IMA policy.
If the LSM policy is parsed in user space and then uploaded by the
kernel, an offline attack would be to modify the file i_uid to be != 0,
so that any policy can be loaded. Unless, as Matthew mentioned, the
policy is included in a signed initial ram disk.
To solve Matthew's problem requires modifying the LSMs so that instead
of userspace reading the policy, processing it and loading it into the
kernel, the LSMs read the policy file directly.
I agree. The same applies to digest lists, IMA parses them directly.
Roberto
--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Qiuen PENG, Shengli WANG
