[apparmor] [Question] any interface to IMA or TPM?

Sun Nov 22 00:24:50 UTC 2015

On 11/21/2015 03:51 AM, Simone Pierluigi Sortino S210003 wrote:
> Il 20.11.2015 21:15 Seth Arnold ha scritto:
>> On Fri, Nov 20, 2015 at 05:35:29PM +0100, Simone Pierluigi Sortino
>> S210003 wrote:
>>> I want to ask if AppArmor provide any kind of interface to IMA or
>>> TPM, in order to have some remote attestation or (at least)
>>> integroty control.
>>>
>>> If it's not available any interface, there is some features able to
>>> do that?
>>
>> Hello Simone; what exactly are you hoping to achieve with TPM or IMA
>> interfaces from AppArmor? We haven't built anything to work with or
>> mediate TPM or other IMA devices specifically but perhaps what you want to
>> do can be done with proper policy design.
>>
>> Thanks
> 
> 
> Hey, thank u for the quickly answer.
> My goal is find a good way to provide the integrity of files (perhaps using some approach hardware based like TPM), but that is more flexible than IMA and its limitated number of PCRs.
> 
> I know that AppArmor provide a mandatory access control, and I am checking if there is any feature related to integrity.

No apparmor does not provide integrity checking at this time.

> As u know, a MAC only manage right of access to a file (in a very few words), but if I use any HEX editor, i should be able to access to any memory allocation and modify it without any access control.
> 
No you can not. You can only edit memory with in your processes, and you can only store memory back to storage, that you have permission to write.

If you gain ring 0 (kernel privilege) you can by pass the MAC controls, but you can also by pass IMA, and any other kernel based checking mechanism.

> then: Has AppArmor any type of protection/control against this kind of attack?
> 
IMA, is a different class of attack than apparmor protects against atm. AppArmor provides a run time control of the system state, it assumes that the kernel is secure and that the state of the machine is good on boot. IMA provides a mechanism to check the integrity of files, it does not assume the state of the machine is good on boot, but checks files integrity against its known signatures. However IMA also requires secure storage, of at least a root key and a signature database that is known to be good.

AppArmor can be stacked with the IMA system that is present in the kernel to provide both MAC and integrity management if you desire that combination. Currently this requires configuring two separate policies etc. We are not working towards integrating IMA into apparmor policy at this time, but it is a direction that we may take in the future, to make integration of the two policies easier. If we do integrate IMA into policy it will leverage the existing IMA system in the kernel, it will just be a convenience layer on top of it, to make managing system policy easier.