Hello,
I have encountered this problem in which I cannot do (for example) chown on the /proc filesystem, operation which fails with Operation not permitted and kernel logging: audit type=1801 audit(1596110664.495:49): pid=96959 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0.
root@ubuntu:/# chown root:root /proc/net/dev; dmesg | tail -1
chown: changing ownership of '/proc/net/dev': Operation not permitted
[10053.911258] audit: type=1801 audit(1596111210.774:52): pid=112577 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0
My ima setup script is:
mount -n -t securityfs securityfs /sys/kernel/security
(set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy >/sys/kernel/security/ima/policy
ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
evmctl import /etc/keys/x509_ima_1.der $ima_id
evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`"
evmctl import /etc/keys/x509_ima_1.der $evm_id
cat /etc/keys/kmk | keyctl padd user kmk @u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
echo "1" > /sys/kernel/security/evm
, where policy is:
dont_appraise fsmagic=0x9fa0
dont_appraise fsmagic=0x62656572
dont_appraise fsmagic=0x64626720
dont_appraise fsmagic=0x01021994
dont_appraise fsmagic=0x858458f6
dont_appraise fsmagic=0x1cd1
dont_appraise fsmagic=0x42494e4d
dont_appraise fsmagic=0x73636673
dont_appraise fsmagic=0xf97cff8c
Kernel cmdline is: BOOT_IMAGE=/boot/vmlinuz-5.5.10 root=UUID=40d7131c-1a9b-4d0f-9757-01a5d1819909 ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US ima_appraise=fix quiet, into which I only added ima_appraise=fix/log.
I'm using Ubuntu on 5.5.10 kernel, but I found this originally on Linux 4.9, on dev environment.
I want to mention I don't have a deep understanding on the Linux kernel or usage, in general, and I am not aware on what else might be causing(or interfering with) this behavior. My understanding is that IMA should not appraise anything(as I left out any appraisal rule out of the policy for reproducing this), but explicitly instructed not to appraise those filesystems, whereas EVM does appraise on /proc when it shouldn't. I could speculate and try trace the problem in the IMA module, but I think the sensible thing to do is to ask if this is something common(as in, I'm doing something really dumb) or at least solvable, but I could not find anything related to the /proc filesystem IMA problems. Problem is not there when EVM is not active( or is on fix mode).
Thank you,
Vlad
