Re: [Linux-ima-user] IMA overwrites xattr even if it has got correct signature

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2016-02-26 at 17:53 +0100, Patrick Ohly wrote:
> On Fri, 2016-02-26 at 18:26 +0200, Dmitry Rozhkov wrote:
> > Hm. I've just tried to reproduce my use case with the following
> > simple
> > test and got perfectly correct results. Looks like there's
> > something
> > fishy with bsdtar still.
> 
> Can you do strace dumps to compare the actual syscalls?
> 

Yep, strace shows that bsdtar do utimensat() after fsetxattr() and
before close().

The test program below reproduces the problem.

I think if timestamps are not considered to be a part of the hash sums
(and it seems to be the case since the IMA hash is the same for the
same file but with different timestamps) then it should be better fixed
in IMA. But patching bsdtar to have setting xattrs the last operation
before close() would not harm too.

#include <sys/types.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/xattr.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>

enum evm_ima_xattr_type {
        IMA_XATTR_DIGEST = 0x01,
        EVM_XATTR_HMAC,
        EVM_IMA_XATTR_DIGSIG,
        IMA_XATTR_DIGEST_NG,
        IMA_XATTR_LAST
};

int main()
{
        char fakesig[256] =
"abracadabraabracadabraabracadabraabracadabraabracadabraabracadabraabra
cadabraabracadabra";
        fakesig[0] = EVM_IMA_XATTR_DIGSIG;
        int fd = open("test", O_WRONLY | O_CREAT);
        write(fd, "hello", 5);
        fchown(fd, 0, 0);
        int ret = fsetxattr(fd, "security.ima", fakesig,
sizeof(fakesig), 0);

        struct timespec ts[2];
        ts[0].tv_sec = 1456840352;
        ts[0].tv_nsec = 842331383;
        ts[1].tv_sec = 1456692085;
        ts[1].tv_nsec = 1;
        futimens(fd, ts);

        close(fd);
        if (ret) {
            printf("Oops: %s\n", strerror(errno));
        }
        return ret;
}

BR,
Dima