From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Paul R. Tagliamonte" <paultag@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: IMA keyctl problems
Date: Mon, 11 Dec 2017 08:48:37 -0500 [thread overview]
Message-ID: <1513000117.3846.122.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CAO6P2QTRfOYMiB1HEbaYghsH+2bw1tyHrGsMt6G8jbQKHQKETA@mail.gmail.com>
On Sun, 2017-12-10 at 22:59 -0500, Paul R. Tagliamonte wrote:
> (break-break)
>
> Phew. OK. I think I've made sense of what was going on here.
>
> I took another look at my policy and on a hunch, figured I ought to
> look at the only unique line I had written:
>
> ```
> appraise appraise_type=imasig uid=1000
> ```
>
> When I changed that to uid=0, everything worked as expected.
The "uid=" is a condition that limits which files to appraise. By
changing "uid=" to 0, I assume by "worked as expected" means nothing
verified.
>
> On a hunch, I changed it back to uid=1000, got the error, and ran:
>
> ```
> keyctl link %keyring:_ima %keyring:_uid.1000
> ```
>
> At which point, the kernel errors went away, and I got the single
> `IMA-signature-required` error I was looking for. Huzzah!
>
>
> Now, can anyone point me in the right direction as to why I had to
> link this keyring to a user to enforce policy?
>
> Is there a reason the lookup doesn't behave as if it were doing a
> %keyring:{_,.}ima lookup? That works even before linking it to
> _uid.1000.
>
> Do other tools load this for each UID on the system? What happens if a
> new user is added at runtime?
>
> This was a pretty not-obvious way for this system to fail, are there
> docs that cover this?
This all seems to indicate that the keys are not being loaded onto
root's _ima keyring. See if there is a difference if you "su -",
before creating the _ima keyring.
Even if you don't add any keys during boot, enabling dracut/systemd
would at least properly create the _ima keyring.
Mimi
next prev parent reply other threads:[~2017-12-11 13:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-09 22:01 IMA keyctl problems Paul R. Tagliamonte
2017-12-10 14:18 ` Mimi Zohar
2017-12-10 15:06 ` Paul R. Tagliamonte
2017-12-10 16:01 ` Mimi Zohar
2017-12-10 16:16 ` Paul R. Tagliamonte
2017-12-11 2:59 ` Paul R. Tagliamonte
2017-12-11 3:59 ` Paul R. Tagliamonte
2017-12-11 13:48 ` Mimi Zohar [this message]
2017-12-11 14:13 ` Paul R. Tagliamonte
2017-12-11 15:48 ` Mimi Zohar
2017-12-11 16:01 ` Paul R. Tagliamonte
2017-12-11 17:22 ` Mimi Zohar
2017-12-11 17:41 ` Paul R. Tagliamonte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1513000117.3846.122.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=paultag@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.