[Dev] IMA and installing new files
dmitry.rozhkov at linux.intel.com
Wed Feb 24 12:11:49 GMT 2016
I'm working on integrating IMA and swupd (Clear Linux software updates)
and I'm experiencing problems with updating or installing new files on
systems with IMA enabled.
The problem comes from the fact that the IMA kernel module
unconditionally overwrites the security.ima extended attribute upon
closing a file:
1. the swupd client downloads a tarball with updates to /var/lib/swupd;
2. then unpacks the updated files preserving xattrs including
security.ima with file signatures;
3. as soon as tar closes the unpacked files the kernel wipes out the
content of security.ima and puts new value (files' hashes without
AFAIU this happens in the kernel hook ima_file_free() called as a final
step of __dput() upon closing a file handle and freeing its structure.
So there is no way to intervene and to prevent this xattr reset.
As result I can't use software updates together with an IMA policy
where all executables must be signed.
Is it possible not to overwrite a file's security.ima if upon closing
it contains a correct signed hash already?
More information about the Dev