I am interested in knowing the expected appraisal behavior after a signed script has been modified. I am asking because I observe that a modified signed script can be executed. In my effort, I did the following: 0) Configure IMA with the only positive appraisal being: appraise func=BPRM_CHECK appraise_type=imasig 1) Create s simple script, as shown here: #!/bin/bash echo "Hello World" 2) Try to execute the script and see a failure as expected: # ./hello.sh bash: ./hello.sh: /bin/bash: bad interpreter: Permission denied and see: journalctl | grep INTEG Oct 24 02:26:32 ctx0700 audit[7135]: INTEGRITY_DATA pid=7135 uid=0 auid=0 ses=4 subj=root:staff_r:staff_t:s0-s0:c0.c1023 op="appraise_data" cause="IMA-signature-required" comm="bash" name="/sysroot/home/root/hello.sh" dev="mmcblk0p6" ino=23072 res=0 3) Sign the script: evmctl ima_sign -k /etc/keys/privkey_ima.pem ./hello.sh 4) Execute # ./hello.sh Hello World 5) Modify the script to read: #!/bin/bash echo "Hello World" echo "Hello Again" >>>>>>>>> ****************** <<<<<<<<<< 6) Execute the script and observe that the modified script executes successfully This was unexpected. # ./hello.sh Hello World Hello Again The signature was unchanged. In order to avoid crowding this email with too much info, I have omitted some details such as the actual signature and the full policy (with dont_appraise fs=xxxx) and kernel config, but will be glad to augment this as requested. But first, I want to start by understanding if this behavior is expected. I am running a 4.14.238 kernel.
