Re: IMA keyctl problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Dec 11, 2017 at 8:48 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> The "uid=" is a condition that limits which files to appraise.  By
> changing "uid=" to 0, I assume by "worked as expected" means nothing
> verified.

Not quite, when I say "works as expected" I mean, everything worked
(since I signed all binaries) except for one (which was logged, as I
mentioned, and when I turned it onto enforce, it gave me permission
denied. As root.

> This all seems to indicate that the keys are not being loaded onto
> root's _ima keyring.  See if there is a difference if you "su -",
> before creating the _ima keyring.

I was running this as uid 0 in the initramfs. It's in a keyring named
_ima and it's linked to @u. That appears to not be sufficient. How do
I create a keyring that spans all user's @u?

> Even if you don't add any keys during boot, enabling dracut/systemd
> would at least properly create the _ima keyring.

Do you have a pointer as to what I'm doing on? I attached the script
I'm running in my initramfs. I'd rather figure out what I'm doing
wrong before punting this to another tool for now.

As for the current behavior --


I've rebooted the machine, here's some output from a terminal from
both root and the user from the keyring as set up currently --

The user can find the keyring called _ima which is attached to root's
@u, but it is not in the user's @u (which should be fine, except it's
not). The user can still find the _ima keyring.

```
# whoami
root
# keyctl show @u
Keyring
 860222890 --alswrv      0 65534  keyring: _uid.0
1007461092 --alswrv      0     0   \_ keyring: _ima
 484254545 --alswrv      0     0       \_ asymmetric: Local IMA Key
# keyctl show %keyring:_ima
Keyring
1007461092 --alswrv      0     0  keyring: _ima
 484254545 --alswrv      0     0   \_ asymmetric: Local IMA Key
# exit
$ whoami
user
$ keyctl show @u
Keyring
 958372548 --alswrv   1000 65534  keyring: _uid.1000
$ keyctl show %keyring:_ima
Keyring
1007461092 --alswrv      0     0  keyring: _ima
 484254545 --alswrv      0     0   \_ asymmetric: Local IMA Key
$
```

This, however, is in the failed state, unless I change uid to 0 and
check enforcement as root rather than user.


  Paul




-- 
:wq

Attachment: ima
Description: Binary data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux