feat: add ProbeIMAFileCheckMeasurementActive#60
Merged
Conversation
Checks whether an IMA measurement rule covering file open (e.g., func=FILE_CHECK) is active by creating a fresh temporary file, rewriting it to invalidate any IMA measurement cache from the initial create, then opening it O_RDONLY and checking for a count increase. The measurement window contains only the O_RDONLY open — the canonical FILE_CHECK stimulus. No count > 1 shortcut. Co-authored-by: Ona <no-reply@ona.com>
Tests that createFreshTempFile creates a non-empty regular file and that cleanup removes the temp directory. Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
Two correctness fixes for IMA exec and file-check probes: 1. Append unique random bytes per invocation so IMA's global hash-table deduplication does not suppress repeated measurements of the same content across probes in the same boot. 2. Prefer /var/tmp over the default temp dir to avoid tmpfs, which common IMA policies exclude before FILE_CHECK/BPRM_CHECK rules. Falls back to the default temp dir if /var/tmp is unavailable or itself on tmpfs. Co-authored-by: Ona <no-reply@ona.com>
Tests uniqueness across calls, tmpfs detection for nonexistent paths, and that imaProbeTempDir creates a directory on non-tmpfs when /var/tmp is available. Co-authored-by: Ona <no-reply@ona.com>
Try all candidates (/var/tmp, os.TempDir) and continue to the next on write failure. Return an error with accumulated reasons if no writable non-tmpfs directory is available, so the probe result is 'inconclusive' rather than a misleading Supported=false from a tmpfs-excluded stimulus. Co-authored-by: Ona <no-reply@ona.com>
Produces a proper error chain instead of formatting []error with %v. Co-authored-by: Ona <no-reply@ona.com>
leodido
changed the title
ProbeIMAFileCheckMeasurementActive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added
ProbeIMAFileCheckMeasurementActive() ProbeResult— checks whether an IMA measurement rule covering file open (e.g.,func=FILE_CHECK) is active by creating a fresh temporary file, then opening itO_RDONLYand checking for a measurement count increase.Semantic contract
Supported=trueonly when the controlled file-open stimulus increments the IMA measurement countProbeIMAAnyMeasurementActive)/var/tmp, thenos.TempDir()if non-tmpfs; returnsErrorif no writable non-tmpfs candidate existsSupported=falsewithErrorsetFeature/Check/SystemFeaturesyetWhy FILE_CHECK needs different windowing than BPRM_CHECK
For the exec probe (#59), the temp binary is materialized before the baseline count and the exec is the only operation in the window. FILE_CHECK is trickier: the
open()that creates the temp file may itself trigger a FILE_CHECK measurement. The probe handles this by:O_RDONLY— this is the stimulusThe
O_RDONLYstimulus is consistent with IMA's documentedFILE_CHECKbehavior, whereFILE_CHECKtriggers on file open and can be qualified withmask=MAY_READ.Correctness fixes (also applied to exec probe)
Two fixes applied to both
ProbeIMAExecMeasurementActiveandProbeIMAFileCheckMeasurementActive:Unique content per invocation: IMA maintains a global hash table and may suppress measurements for content it has already seen. The exec probe now appends random bytes to the copied ELF (past the segment table, does not affect execution). The file-check probe rewrites with unique random content before the baseline.
Non-tmpfs temp directory: Common IMA policies (e.g., the default
tcbpolicy) exclude tmpfs beforeFILE_CHECK/BPRM_CHECKrules. Both probes now prefer/var/tmp, thenos.TempDir()if non-tmpfs; they returnErrorif no writable non-tmpfs candidate exists rather than silently falling back to tmpfs.Series
This is PR 3 of 3 after #57:
ReadIMARuntimeMeasurementsCount✅ProbeIMAExecMeasurementActive#59 —ProbeIMAExecMeasurementActive✅ProbeIMAFileCheckMeasurementActive