Menu
▾
▴
Re: [Linux-ima-user] [PATCH] evm: add exceptions for inodes without getxattr() support.
|
From: Mikhail K. <vie...@vi...> - 2016-12-28 18:09:06
|
В Wed, 28 Dec 2016 09:24:36 -0500 Mimi Zohar <zo...@li...> пишет: > On Wed, 2016-12-28 at 15:51 +0300, Mikhail Kurinnoi wrote: > > Removed from kernel boot command line "ima_appraise=fix evm=fix", I > > faced with a little bit strange audit log output. For example: > > ... > > pid=3237 uid=0 auid=4294967295 ses=4294967295 op="appraise_metadata" > > cause="fail" comm="cp" name="depconfig" fowner=0 dev="tmpfs" > > ino=6839 res=0 > > pid=4418 uid=0 auid=4294967295 ses=4294967295 op="appraise_metadata" > > cause="fail" comm="chgrp" name="utmp" fowner=0 dev="tmpfs" ino=11295 > > res=0 > > pid=4419 uid=0 auid=4294967295 ses=4294967295 op="appraise_metadata" > > cause="fail" comm="chmod" name="utmp" fowner=0 dev="tmpfs" ino=11295 > > res=0 > > pid=5040 uid=0 auid=4294967295 ses=4294967295 op="appraise_metadata" > > cause="fail" comm="cupsd" name="0" fowner=0 dev="tmpfs" ino=10778 > > res=0 > > pid=5611 uid=1000 auid=1000 ses=3 op="appraise_metadata" > > cause="fail" comm="X" name=".tX0-lock" fowner=0 dev="tmpfs" > > ino=11650 res=0 ... > > > > This output were logged with default policy (ima_appraise_tcb > > ima_tcb). As you can see (op="appraise_metadata"), this issue > > connected to evm_inode_setattr(), evm_inode_removexattr() and > > evm_inode_setxattr(). After some digging I found, that we don't > > count on getxattr() support in inode. I mean, we don't count on > > EOPNOTSUPP error code from evm_find_protected_xattrs(), as result, > > evm_verify_hmac() will return only INTEGRITY_FAIL error and > > legitimate attr/xattr(acls) changes will be not allowed by EVM. > > Before EVM allows a file to write file metadata it validates the > existing security.evm xattr. Only if it is valid, does EVM permit the > file metadata to change. Otherwise the updated security.evm xattr > would be based on bogus file metadata. Is the issue really that > getxattr() isn't supported or rather that these files were created > under a different policy, which didn't label the files properly? As I mentioned, I also test with default policy this time from the beginning to be sure this is not my policy issue again. For tmpfs in default policy we have only 2 lines with "dont_appraise" + "dont_measure" connected to magic number, and this is upper lines. My custom policy have same upper lines with magic numbers. Tmpfs support xattrs for sure, I tested this. Also, I add test ext4 FS partition with "dont_appraise" + "dont_measure" rules as upper lines of policy file. Result was the same. evm_find_protected_xattrs() return EOPNOTSUPP if I create new file and use chmod on it. If I change test ext4 FS partition policy to "appraise" I have no issues. So, this is not tmpfs or xattrs support issue. I just can add, that in evm_find_protected_xattrs() error message EOPNOTSUPP returned not by inode->i_op->getxattr test, but by inode->i_op->getxattr() execution itself. -- Best regards, Mikhail Kurinnoi |
