Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid.
The issue can be reproduced with simple ima_policy:
# fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0
The same policy can be successively loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1
The bug is fixed in the mainline kernel:
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a
Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid.
The issue can be reproduced with simple ima_policy:
# fsuuid=$(blkid -s UUID -o value /dev/sda1) security/ ima/policy 9.907:18) : action= "dont_appraise" fsuuid= "aef88a4e- dbea-4cc7- be8b-03cf8501cc 8f" res=0 9.908:19) : pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause=" invalid- policy" comm="cat" res=0 9.909:20) : pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0
# cat > ima_policy << EOF
dont_appraise fsuuid=$fsuuid
dont_measure fsuuid=$fsuuid
EOF
# cat ima_policy > /sys/kernel/
cat: write error: Invalid argument
# dmesg | tail
[ 928.069606] audit: type=1805 audit(152103195
[ 928.069895] audit: type=1802 audit(152103195
[ 928.070829] IMA: policy update failed
[ 928.070860] audit: type=1802 audit(152103195
The same policy can be successively loaded on v4.10: 2.958:15) : action= "dont_appraise" fsuuid= "aef88a4e- dbea-4cc7- be8b-03cf8501cc 8f" res=1 2.958:16) : action= "dont_measure" fsuuid= "aef88a4e- dbea-4cc7- be8b-03cf8501cc 8f" res=1 2.958:17) : pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1
(v4.10) # dmesg | tail
[ 54.071383] IMA: policy update completed
[ 54.071484] kauditd_printk_skb: 1 callbacks suppressed
[ 54.071487] audit: type=1805 audit(152103096
[ 54.071491] audit: type=1805 audit(152103096
[ 54.071493] audit: type=1802 audit(152103096
The bug is fixed in the mainline kernel:
[1] https:/ /git.kernel. org/pub/ scm/linux/ kernel/ git/torvalds/ linux.git/ commit/ security/ integrity/ ima/ima_ policy. c?id=36447456e1 cca853188505f2a 964dbbeacfc7a7a