Menu
▾
▴
Re: [Linux-ima-devel] xattr validation in IMA
|
From: Mimi Z. <zo...@li...> - 2014-10-22 12:36:50
|
On Wed, 2014-10-22 at 13:29 +0200, Jan Kara wrote: > On Wed 22-10-14 12:47:13, Dmitry Kasatkin wrote: > > On 22/10/14 12:02, Jan Kara wrote: > > > Hello, > > > > > > Coverity made me look into how IMA handles xattrs and it appears that it > > > just blindly believes that whatever userspace passes as security.ima xattr > > > has a format of evm_ima_xattr_data. However that isn't necessarily true > > > (you can even be passed NULL as xattr_value which will oops immediately). > > > It isn't a security issue AFAICS since you allow only CAP_SYS_ADMIN > > > processes to manipulate with the xattr but still it is a very bad practice > > > to allow userspace to screw kernel like that... > > > > > > Honza > > > > Hi, > > > > What exact place you point out.. > Sorry, I should have been more specific. I'm speaking about > ima_inode_setxattr() which gets called from security_inode_setxattr(). Thank you for the bug report. Aside from new files, we verify the existing label is valid before allowing the file to be relabeled. Labeling a file with an invalid hash/signature would cause a DoS. We should at minimum verify the value is of the proper format, but I think we can go farther than that. On a system running with IMA-appraisal enabled, on __fput() new files are properly labeled with hashes. So we should limit writing file hashes to fix mode. Mimi |
