On Sun, 2022-10-23 at 20:07 -0700, Ken Williams wrote: > I am interested in knowing the expected appraisal behavior after a > signed script has been modified. I am asking because I observe that a > modified signed script can be executed. In my effort, I did the > following: > > 0) Configure IMA with the only positive appraisal being: > appraise func=BPRM_CHECK appraise_type=imasig > > 1) Create s simple script, as shown here: > #!/bin/bash > > echo "Hello World" > > 2) Try to execute the script and see a failure as expected: > # ./hello.sh > bash: ./hello.sh: /bin/bash: bad interpreter: Permission denied > > and see: > journalctl | grep INTEG > Oct 24 02:26:32 ctx0700 audit[7135]: INTEGRITY_DATA pid=7135 uid=0 > auid=0 ses=4 subj=root:staff_r:staff_t:s0-s0:c0.c1023 > op="appraise_data" cause="IMA-signature-required" comm="bash" > name="/sysroot/home/root/hello.sh" dev="mmcblk0p6" ino=23072 res=0 > > 3) Sign the script: > evmctl ima_sign -k /etc/keys/privkey_ima.pem ./hello.sh > > 4) Execute > # ./hello.sh > Hello World > > 5) Modify the script to read: > #!/bin/bash > > echo "Hello World" > echo "Hello Again" > > >>>>>>>>> ****************** <<<<<<<<<< > 6) Execute the script and observe that the modified script executes successfully > This was unexpected. > # ./hello.sh > Hello World > Hello Again > > The signature was unchanged. > > In order to avoid crowding this email with too much info, I have > omitted some details such as the actual signature and the full policy > (with dont_appraise fs=xxxx) and kernel config, but will be glad to > augment this as requested. But first, I want to start by > understanding if this behavior is expected. > I am running a 4.14.238 kernel. The file open hook prevents signed files from being modified and for hashed files results in the iint cache status being updated on __fput. Define an appraise "func=FILE_CHECK" rule. -- thanks, Mimi
