On Thu, 2017-11-16 at 10:23 +0100, Roberto Sassu wrote: > On 11/16/2017 3:13 AM, Mimi Zohar wrote: > > On Wed, 2017-11-15 at 16:05 -0800, Matthew Garrett wrote: > >> On Wed, Nov 15, 2017 at 4:02 PM, James Morris <james.l.morris@xxxxxxxxxx> wrote: > >>> On Wed, 15 Nov 2017, Patrick Ohly wrote: > >>> > >>>> I have some experience with SMACK, but not with Apparmor. At least with > >>>> SMACK the problem is that the LSM depends on integrity protection of > >>>> the xattrs, but the integrity protection itself depends on the LSM, so > >>>> there's a cycle. An attacker can much too easily make offline changes > >>>> which then defeat whatever IMA policy the system might be using. > >>> > >>> Isn't this what EVM is supposed to mitigate? > > With the default appraisal policy, it can't. IMA determines if a file > must be appraised depending on metadata whose integrity has not been > verified yet. A root process is able to load appraised files with > i_uid = 0 and files with missing/invalid HMAC and i_uid != 0, at the > same time. The LSMs are responsible for protecting their own labels. They have the opportunity to verify and deny access to files based on LSM labels, BEFORE IMA-appraisal is called to verify the file's integrity. Look at security/security.c and see that IMA is called AFTER the LSMs. The same is true for the other IMA hooks, that are not co- located with LSM hooks. For example, the security_file_open hook is called before the ima_file_check() hook. Mimi
