Hi! I'm working on integrating IMA and swupd (Clear Linux software updates) and I'm experiencing problems with updating or installing new files on systems with IMA enabled.
The problem comes from the fact that the IMA kernel module unconditionally overwrites the security.ima extended attribute upon closing a file: 1. the swupd client downloads a tarball with updates to /var/lib/swupd; 2. then unpacks the updated files preserving xattrs including security.ima with file signatures; 3. as soon as tar closes the unpacked files the kernel wipes out the content of security.ima and puts new value (files' hashes without signatures). AFAIU this happens in the kernel hook ima_file_free() called as a final step of __dput() upon closing a file handle and freeing its structure. So there is no way to intervene and to prevent this xattr reset. As result I can't use software updates together with an IMA policy where all executables must be signed. Is it possible not to overwrite a file's security.ima if upon closing it contains a correct signed hash already? BR, Dmitry _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
