Menu
▾
▴
Re: [Linux-ima-user] IMA overwrites xattr even if it has got correct signature
|
From: Dmitry R. <dmi...@li...> - 2016-02-26 16:19:51
|
On Fri, 2016-02-26 at 08:24 -0500, Mimi Zohar wrote:
> On Fri, 2016-02-26 at 15:00 +0200, Dmitry Rozhkov wrote:
> > On Fri, 2016-02-26 at 06:48 -0500, Mimi Zohar wrote:
> > > On Fri, 2016-02-26 at 08:52 +0100, Patrick Ohly wrote:
> > > > On Thu, 2016-02-25 at 11:09 -0500, Mimi Zohar wrote:
> > > > > On Thu, 2016-02-25 at 15:29 +0200, Dmitry Rozhkov wrote:
> > > > > > On Thu, 2016-02-25 at 07:43 -0500, Mimi Zohar wrote:
> > > > >
> > > > > > >
> > > > > > > If security.ima isn't being written because the file is
> > > > > > > not
> > > > > > > in policy,
> > > > > > > that is a different problem. Perhaps try writing a file
> > > > > > > that is in the
> > > > > > > IMA-appraisal policy.
> > > > > >
> > > > > > Didn't get it. The file is in the IMA-appraisal policy.
> > > > > >
> > > > > > AFAIU upon file closing ima_inode_setxattr()
> > > > > > calls ima_reset_appraise_flags() where IMA_DIGSIG is
> > > > > > supposed
> > > > > > to be
> > > > > > set. But right before setting the flag there's the
> > > > > > condition
> > > > > >
> > > > > > iint = integrity_iint_find(inode);
> > > > > > if (!iint)
> > > > > > return;
> > > > > >
> > > > > > which is true for newly created (and never closed yet)
> > > > > > files.
> > > > >
> > > > > There needs to be a FILE_CHECK rule for the iint to be
> > > > > created
> > > > > for a new
> > > > > file.
> > > >
> > > > The policy is essentially just:
> > > >
> > > > appraise fowner=0
> > > > measure fowner=0
> > > >
> > > > with some dont_appraise/measure entries earlier for some
> > > > special
> > > > filesystems.
> > >
> > > This policy measures and appraises everything owned by root. So
> > > as
> > > long
> > > as the file is owned by root, the file will be in the file open
> > > (FILE_CHECK) policy.
> > >
> >
> > In other words with the policy like
> >
> > appraise fowner=0
> > measure fowner=0
> >
> > the FILE_CHECK rule is implied for all files and iint is guarantied
> > to
> > be created. Then something else is missing for IMA_DIGSIG to be
> > set. I
> > run out of ideas on what it could be.
>
> No, not all files are included in the policy. Only files owned by
> root
> on filesystems not explicitly excluded. Try opening a file for write
> and from another process write the signature as an xattr, before
> closing
> the file. security.ima should contain the signature after close.
Hm. I've just tried to reproduce my use case with the following simple
test and got perfectly correct results. Looks like there's something
fishy with bsdtar still. Back to drawing board...
#include <sys/types.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/xattr.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
enum evm_ima_xattr_type {
IMA_XATTR_DIGEST = 0x01,
EVM_XATTR_HMAC,
EVM_IMA_XATTR_DIGSIG,
IMA_XATTR_DIGEST_NG,
IMA_XATTR_LAST
};
int main()
{
char fakesig[256] =
"abracadabraabracadabraabracadabraabracadabraabracadabraabracadabraabra
cadabraabracadabra";
fakesig[0] = EVM_IMA_XATTR_DIGSIG;
int fd = open("test", O_WRONLY | O_CREAT);
write(fd, "hello", 5);
int ret = fsetxattr(fd, "security.ima", fakesig,
sizeof(fakesig), 0);
close(fd);
if (ret) {
printf("Oops: %s\n", strerror(errno));
}
return ret;
}
BR,
Dima
|
