diff mbox

Problem mounting pseudo filesystems with SMACK and IMA enabled.

Message ID CABatt_yk+pgwxHVv+RY08xFDOfzxb4w6ELW7RxhW6gWQ=5Hvnw@mail.gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Martin Townsend March 20, 2018, 3:01 p.m. UTC 
On Tue, Mar 20, 2018 at 1:32 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> On Tue, 2018-03-20 at 10:23 +0000, Martin Townsend wrote:
>> On Mon, Mar 19, 2018 at 3:47 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>> > On Mon, 2018-03-19 at 14:37 +0000, Martin Townsend wrote:
>> > [...]
>> >> The problem was because systemd couldn't create directories for the
>> >> mounts /dev/shm and /sys/fs/cgroup/systemd, it was returning -ENOKEY.
>> >
>> > There's a disconnect between what ima-evm-utils supports and the
>> > kernel.  This sounds like the kernel you're using has directory
>> > support, which has not been upstreamed.
>> >
>> >> After investigating it looks like I need to set a key for HMAC to stop
>> >> the mkdir failing which I didn't appreciate I needed with a pre-signed
>> >> image.
>> >
>> >> I have a question on this, looking at the IMA code it will try and
>> >> replace my signatures with the HMAC unless the immutable attribute is
>> >> set, is this correct?
>> >
>> > EVM will replace the file signature with an HMAC, unless the
>> > filesystem is mounted r/o, is immutable, or is signed with the new EVM
>> > portable and immutable signature.
>> >
>> >>  In the evmctl utility there's mention of an evm
>> >> immutable flag but I see nothing in the kernel code that supports
>> >> this. Is this a feature that never made it into the kernel? or is it
>> >> there but I've missed it?
>> >
>> > The portable and immutable EVM signature is being added only in this
>> > release (linux-4.16).
>> >
>> >> Second question, I have no TPM module so do I need to add a key for
>> >> HMAC or is there another way? It's not a problem if I have to add a
>> >> key I just want to make 100% sure I have to before patching systemd or
>> >> creating my own init process that adds the key before handing over to
>> >> systemd.
>> >
>> > systemd already has support for loading an EVM key.
>> >
>> > The EVM encrypted key could be based on either a TPM trusted key or a
>> > user key, without the HW guarantees of the private key not being
>> > exposed in the clear.  If you don't need an EVM key, then without a
>> > TPM, you're probably better off backporting the new portable and
>> > immutable EVM key.
>>
>> I've taken a look at the kernel patch "EVM: Add support for portable
>> signature format" and this looks like the exact feature I've been
>> looking for :) and it applied fairly cleanly to 4.9 with just a couple
>> of easy manual edits.
>>
>> I upgraded to the latest 1.1 ima-evm-utils on my host system but I
>> can't sign any files with the --portable flag.  (I've added the
>> function failing to the log_err function)
>>
>> $ LD_LIBRARY_PATH=build/src/.libs sudo ./build/src/.libs/evmctl sign
>> --imasig -v -o --generation 0 --uuid  --key
>
> Can you try signing the file without "--generation 0 --uuid"?  Please
> provide the output of "getfattr -m ^security -e hex --dump
> <filename>".  The security.evm portable and immutable signature should
> begin with 0x05.
>
I get the following
LD_LIBRARY_PATH=build/src/.libs sudo ./build/src/.libs/evmctl sign
--imasig -o --key
/ws/rufilla/curtisswright/cwr-signing-authority/ca/ima/inter/private/ima-privkey.pem
/mnt/ubi/usr/bin/nsenter
ioctl() failed
errno: Inappropriate ioctl for device (25)

You can see in the hexdump from my previous post below it tries to
send a signature with 05 at the start.

Reverting back to 1.0 ima-evm-utils and hacking the kernel to add the
EVM key it booted but I couldn't add SMACK rules in fact I couldn't do
anything with smackfs and after further debugging it was because
IMA/EVM was measuring and appraising everything in /sys/fs/smack
With the following patch I have finally got SMACK and IMA working together:

From 3eaa37f3b1848943b2ab9e07f595e0d6e8aba1c5 Mon Sep 17 00:00:00 2001
From: Martin Townsend <mtownsend1973@gmail.com>
Date: Tue, 20 Mar 2018 12:14:57 +0000
Subject: [PATCH] Ensure we don't meausre or appraise SMACKFS by default

---
 security/integrity/ima/ima_policy.c | 2 ++
 1 file changed, 2 insertions(+)

 #ifdef CONFIG_IMA_WRITE_POLICY

Comments

Mimi Zohar March 20, 2018, 4:11 p.m. UTC | #1 
On Tue, 2018-03-20 at 15:01 +0000, Martin Townsend wrote:
> 
> Not sure why SMACK is not already there, do you want me to submit this
> patch formally or is there a good reason for the omission?

At some point, we should introduce a flag indicating a pseudo
fileesystem, but for now including SMACK in the list of pseudo
filesystems not measured sounds right. 

thanks,

Mimi
Casey Schaufler March 20, 2018, 4:14 p.m. UTC | #2 
On 3/20/2018 9:11 AM, Mimi Zohar wrote:
> On Tue, 2018-03-20 at 15:01 +0000, Martin Townsend wrote:
>> Not sure why SMACK is not already there, do you want me to submit this
>> patch formally or is there a good reason for the omission?
> At some point, we should introduce a flag indicating a pseudo
> fileesystem, but for now including SMACK in the list of pseudo
> filesystems not measured sounds right.

I am also good with that.

>
> thanks,
>
> Mimi
>
>
diff mbox

Patch

diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_policy.c
index aed47b7..678d0d7 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -92,6 +92,7 @@  static struct ima_rule_entry dont_measure_rules[] = {
  {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
  {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
  {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
  {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
  .flags = IMA_FSMAGIC},
  {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
@@ -132,6 +133,7 @@  static struct ima_rule_entry default_appraise_rules[] = {
  {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
  {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
  {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
  {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
  {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags =
IMA_FSMAGIC},