Re: [Linux-ima-user] [PATCH] evm: add exceptions for inodes without getxattr() support.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

В Wed, 28 Dec 2016 15:18:20 -0500
Mimi Zohar <zo...@li...> пишет:

> On Wed, 2016-12-28 at 21:08 +0300, Mikhail Kurinnoi wrote:
> > В Wed, 28 Dec 2016 09:24:36 -0500
> > Mimi Zohar <zo...@li...> пишет:
> >   
> > > On Wed, 2016-12-28 at 15:51 +0300, Mikhail Kurinnoi wrote:  
> > > > Removed from kernel boot command line "ima_appraise=fix
> > > > evm=fix", I faced with a little bit strange audit log output.
> > > > For example: ...
> > > > pid=3237 uid=0 auid=4294967295 ses=4294967295
> > > > op="appraise_metadata" cause="fail" comm="cp" name="depconfig"
> > > > fowner=0 dev="tmpfs" ino=6839 res=0
> > > > pid=4418 uid=0 auid=4294967295 ses=4294967295
> > > > op="appraise_metadata" cause="fail" comm="chgrp" name="utmp"
> > > > fowner=0 dev="tmpfs" ino=11295 res=0
> > > > pid=4419 uid=0 auid=4294967295 ses=4294967295
> > > > op="appraise_metadata" cause="fail" comm="chmod" name="utmp"
> > > > fowner=0 dev="tmpfs" ino=11295 res=0
> > > > pid=5040 uid=0 auid=4294967295 ses=4294967295
> > > > op="appraise_metadata" cause="fail" comm="cupsd" name="0"
> > > > fowner=0 dev="tmpfs" ino=10778 res=0
> > > > pid=5611 uid=1000 auid=1000 ses=3 op="appraise_metadata"
> > > > cause="fail" comm="X" name=".tX0-lock" fowner=0 dev="tmpfs"
> > > > ino=11650 res=0 ...
> > > > 
> > > > This output were logged with default policy (ima_appraise_tcb
> > > > ima_tcb). As you can see (op="appraise_metadata"), this issue
> > > > connected to evm_inode_setattr(), evm_inode_removexattr() and
> > > > evm_inode_setxattr(). After some digging I found, that we don't
> > > > count on getxattr() support in inode. I mean, we don't count on
> > > > EOPNOTSUPP error code from evm_find_protected_xattrs(), as
> > > > result, evm_verify_hmac() will return only INTEGRITY_FAIL error
> > > > and legitimate attr/xattr(acls) changes will be not allowed by
> > > > EVM.    
> > > 
> > > Before EVM allows a file to write file metadata it validates the
> > > existing security.evm xattr.  Only if it is valid, does EVM
> > > permit the file metadata to change.   Otherwise the updated
> > > security.evm xattr would be based on bogus file metadata.  Is the
> > > issue really that getxattr() isn't supported or rather that these
> > > files were created under a different policy, which didn't label
> > > the files properly?  
> > 
> > As I mentioned, I also test with default policy this time from the
> > beginning to be sure this is not my policy issue again. For tmpfs
> > in default policy we have only 2 lines with "dont_appraise" +
> > "dont_measure" connected to magic number, and this is upper lines.
> > My custom policy have same upper lines with magic numbers.
> > 
> > Tmpfs support xattrs for sure, I tested this.
> > Also, I add test ext4 FS partition with "dont_appraise" +
> > "dont_measure" rules as upper lines of policy file. Result was the
> > same. evm_find_protected_xattrs() return EOPNOTSUPP if I create 
> > new file and use chmod on it. If I change test ext4 FS partition
> > policy to "appraise" I have no issues. So, this is not tmpfs or
> > xattrs support issue.  
> 
> It sounds like the file does not have the security.evm xattr before
> you do the chmod.  Therefore it is failing.  Please show the test
> steps with the security xattrs after each step.

1.

/tmp - tmpfs mount point
default policy ("dont_appraise" + "dont_measure" for tmpfs).

# touch /tmp/test
# getfattr -m . -d -e hex /tmp/test
(no output, file don't have any xattrs)
# chmod 666 /tmp/test
  chmod: changing permissions of '/tmp/test': Operation not permitted
# getfattr -m . -d -e hex /tmp/test
(no output, file don't have any xattrs)
# evmctl sign -a sha512 --imasig --key /privkey_ima.pem /tmp/test
  setxattr failed: /tmp/test
  errno: Operation not permitted (1)
# getfattr -m . -d -e hex /tmp/test
(no output, file don't have any xattrs)

audit log:
pid=5989 uid=0 auid=1000 ses=3 op="appraise_metadata" cause="fail" comm="chmod" name="test" fowner=0 dev="tmpfs" ino=11884 res=0
pid=6062 uid=0 auid=1000 ses=3 op="appraise_metadata" cause="fail" comm="evmctl" name="test" fowner=0 dev="tmpfs" ino=11884 res=0

2. 

/var/tmp - ext4 FS mount point (my test ext4 FS partition)
custom policy based on default policy, "dont_appraise" + "dont_measure" for partition as upper policy lines.

# touch /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
(no output, file don't have any xattrs)
# chmod 666 /var/tmp/test
  chmod: changing permissions of '/var/tmp/test': Operation not permitted
# getfattr -m . -d -e hex /var/tmp/test
(no output, file don't have any xattrs)
# evmctl sign -a sha512 --imasig --key /privkey_ima.pem /var/tmp/test
  setxattr failed: /var/tmp/test
  errno: Operation not permitted (1)
# getfattr -m . -d -e hex /var/tmp/test
(no output, file don't have any xattrs)

audit log:
pid=7762 uid=0 auid=1000 ses=3 op="appraise_metadata" cause="fail" comm="chmod" name="test" fowner=0 dev="dm-2" ino=21 res=0
pid=7954 uid=0 auid=1000 ses=3 op="appraise_metadata" cause="fail" comm="evmctl" name="test" fowner=0 dev="dm-2" ino=21 res=0

3.

/ - ext4 FS mount point
default policy

# touch /test
# getfattr -m . -d -e hex /test
  getfattr: Removing leading '/' from absolute path names
  # file: test
security.evm=0x025aad22f99f6e283e966f827022ba59475442d41e
security.ima=0x0406cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
# chmod 666 /test
# getfattr -m . -d -e hex /test
  getfattr: Removing leading '/' from absolute path names
  # file: test
security.evm=0x02c920be3c9ff5e1460b5bf1a63658dc74b8669aed
security.ima=0x0406cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
# evmctl sign -a sha512 --imasig --key /privkey_ima.pem /test
# getfattr -m . -d -e hex /test
  getfattr: Removing leading '/' from absolute path names
  # file: test
security.evm=0x030202bd74b09a02008b04f659b5d3b743c7f36ecd75eaa085fd8184a925a229453b88a0edae0196b717da8de82523d9a1ce2c083877bceb30dcc4b354b5ecce0ce67f789c5d60adbdf286096ecafbc27b3f0fd993a5438f39077fcf74b05881b96679c7e9772872d07ee281acf1c06f76f316d01a203b2ad8eef7c1f7a00301d238ba8b79943eb9065de5f402cb37bc53cbfcdca8f24bd2d7ddb80d681435f67d323f228cbf82619bae909fa31c12c94a8ca974a5b7bd95b7d773c15536c0b2c7d90d1b53d209ca500da0c0cf4cc128fdf740dd4b21dc8ab057aa4c30e6c44e4dde8892c124b8b81f0c5440825d2d31c6f15bd7d9d21fe09a1c2be12237c8cdada99f9d00380e3b3f083072c7ae8abf017c5e654986dd1f892402ae0d874dda59304f2b57b1cbdb6efd844b53309f694bedf37019ebcf682575db151b6d0ade8defde5f54838f178a5537beae3b4fa3f2172e8acb13b97ff955a73eb6d875cb81d28783c3af24b287a5ac563ae72cf3f00168c634d83ecf0ff0ec2dd470f9062ece4517c08533f4f81a6003c8bffad6a9788e62380b70215ead64ea4e67db2356398874ed3b3faf3c88cf3ee6640bdd4c50033df112c8d80a746035ed329588dc622d9bb8d6517e2ac193198489f3d24c04f014cd1d487cf15db9aa24618409b0919b1f684504bddd5a6e3a59231805dcebb2dc234b2c362e693d5bb76aeb8ab79c22be55d7f5099b
security.ima=0x030206bd74b09a02004f92457d0c9808ec8e033d099aaf79ce80ec01ba8be87e6981174eebd219185f2af0da5800d328659bab984d2c2325b5443602f4703d9f2affda6b89a6cfb2684c260fd8ef38b3c9c42c5670f8efc66e721dcfe1db92b28181603342be0d0e74c30007eb95f0da7e7b8d5f51d70b64d763f12c0aa22ab064f5654fc0323915be3e7552d88aab563430a9d3537ddf4406119cbf87a86787102e765e3378dd5eb10cc36335d2264c6dfee8448047d9366c986b364feaaa9287481a17796d8c6549963cd22fbdac5ed030217e1972b31eb5ee22d5965ad2ecc137aff3e91b0cc6409568052f3b6e56836e6b5585997aac56eed055d62a959bf7dcba1ec1e3998db0b7a25c9ac9b1f6b1e7cf05052c053305ad5618342122705e57e71bd7bf1570718704d143a4663d690265129c6ccd3994e0a38a25f194b29fffe246220f2755c2b494f6f785b2ce56ef20558b0d1c8c8edde0b24614f8392a89959a02b2ee08042350eebfc928d574af21ff94b63a955dce530e4401c27e53d16b7d414c392dcd101d567b4b72976d307bac6848f574c4a1d6085be31c185b69cdd07ea0cfe014548eae829bc0a9a07aa46371dfbd30208a3d20573a2f5f0ca80b776ca1954e63027959c5df1ecbd77a70f42713a450d51a79e0c3f50eb12f0f966db2cf30273fb8bbf1956729b17fd34da59d5e6d51089207d92be635c406f66531589a15f0b5
# chmod 644 /test
# getfattr -m . -d -e hex /test
  getfattr: Removing leading '/' from absolute path names
  # file: test
security.evm=0x02499ed05040352f132106ae50d8d30f3d42c52b1b
security.ima=0x030206bd74b09a02004f92457d0c9808ec8e033d099aaf79ce80ec01ba8be87e6981174eebd219185f2af0da5800d328659bab984d2c2325b5443602f4703d9f2affda6b89a6cfb2684c260fd8ef38b3c9c42c5670f8efc66e721dcfe1db92b28181603342be0d0e74c30007eb95f0da7e7b8d5f51d70b64d763f12c0aa22ab064f5654fc0323915be3e7552d88aab563430a9d3537ddf4406119cbf87a86787102e765e3378dd5eb10cc36335d2264c6dfee8448047d9366c986b364feaaa9287481a17796d8c6549963cd22fbdac5ed030217e1972b31eb5ee22d5965ad2ecc137aff3e91b0cc6409568052f3b6e56836e6b5585997aac56eed055d62a959bf7dcba1ec1e3998db0b7a25c9ac9b1f6b1e7cf05052c053305ad5618342122705e57e71bd7bf1570718704d143a4663d690265129c6ccd3994e0a38a25f194b29fffe246220f2755c2b494f6f785b2ce56ef20558b0d1c8c8edde0b24614f8392a89959a02b2ee08042350eebfc928d574af21ff94b63a955dce530e4401c27e53d16b7d414c392dcd101d567b4b72976d307bac6848f574c4a1d6085be31c185b69cdd07ea0cfe014548eae829bc0a9a07aa46371dfbd30208a3d20573a2f5f0ca80b776ca1954e63027959c5df1ecbd77a70f42713a450d51a79e0c3f50eb12f0f966db2cf30273fb8bbf1956729b17fd34da59d5e6d51089207d92be635c406f66531589a15f0b5

Tests with kernel boot options "ima_appraise=fix evm=fix".

4.

/tmp - tmpfs mount point
default policy ("dont_appraise" + "dont_measure" for tmpfs).

# touch /tmp/test
# getfattr -m . -d -e hex /tmp/test
(no output, file don't have any xattrs)
# chmod 666 /tmp/test
# getfattr -m . -d -e hex /tmp/test
(no output, file don't have any xattrs)
# evmctl ima_hash -a sha512 /tmp/test
# getfattr -m . -d -e hex /tmp/test
  getfattr: Removing leading '/' from absolute path names
  # file: tmp/test
security.evm=0x025ca7312e6ee4b2c643b8b17714f90afff5ea6216
security.ima=0x0406cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
# chmod 644 /tmp/test
# getfattr -m . -d -e hex /tmp/test
(no output, file don't have any xattrs)

5.

/var/tmp - ext4 FS mount point (my test ext4 FS partition)
custom policy based on default policy, "dont_appraise" + "dont_measure" for partition as upper policy lines.

# touch /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
(no output, file don't have any xattrs)
# chmod 666 /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
(no output, file don't have any xattrs)
# evmctl sign -a sha512 --imasig --key /privkey_ima.pem /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
  getfattr: Removing leading '/' from absolute path names
  # file: var/tmp/test
security.evm=0x030202bd74b09a02003024fa292867c225340b3725754d21f5c61e7120a12478900458188dd5628527381ddbdbe931dc654c33fb61b9936216d1390521f9a8f5f868d8b70fdcf74a00dcea74a024292abb0006c102852abd393b569d19601b9dc8af56b73d621f37dd30d901f580f6344dc9bcfebf1059bded66e057f4a7b1f471fa4c3728051b0056b6e79b8ffdf05dd6fd651e4adabc68e4bfe7f0c5d1fc5f43c841d729ee636aaead68e9afbb5ff702e2b66a31004fcf461cad9edf80ca46b6648a463751d0b35045224ca618e3e6cfd0a98b53a6badc44a324f5e32cd98d6334152449f2c33cd91309bb6bfa41e055feb3d886e2f78dc413fc9dc0a56573bb2a6f3ebd05c92776682019ad486756c983846f9df4150665b28ca260527b38278dc41dd2eeda9be010af10f0c8f744b74a58c4b8c644705a180a658509fa29540ed7436ba0d27c2e569374eaec69f43453244aa66c034beeb14d8d6dd22fcd2a39d6e29d63342b5d498a9d347aff874b2f4445a33a95c4e6cde98c8e3bf4ed01fdfde6b100880b02cf4b2c6e43c94241f96569d57fd52d93f48bcfeaf638424ab4da6d03d09960c5f3cbef3f4a29a60bbce7fd756c5370d5035136763f7108200c6e019195bb81c42a16d0f3bb481388c07d78ff6faceafc1af59350b3693edfd6db5b48377632f73a85c760168834cdffecdc06df3a72993309ebbc38f5181a598ea26719c0d44e
security.ima=0x030206bd74b09a02004f92457d0c9808ec8e033d099aaf79ce80ec01ba8be87e6981174eebd219185f2af0da5800d328659bab984d2c2325b5443602f4703d9f2affda6b89a6cfb2684c260fd8ef38b3c9c42c5670f8efc66e721dcfe1db92b28181603342be0d0e74c30007eb95f0da7e7b8d5f51d70b64d763f12c0aa22ab064f5654fc0323915be3e7552d88aab563430a9d3537ddf4406119cbf87a86787102e765e3378dd5eb10cc36335d2264c6dfee8448047d9366c986b364feaaa9287481a17796d8c6549963cd22fbdac5ed030217e1972b31eb5ee22d5965ad2ecc137aff3e91b0cc6409568052f3b6e56836e6b5585997aac56eed055d62a959bf7dcba1ec1e3998db0b7a25c9ac9b1f6b1e7cf05052c053305ad5618342122705e57e71bd7bf1570718704d143a4663d690265129c6ccd3994e0a38a25f194b29fffe246220f2755c2b494f6f785b2ce56ef20558b0d1c8c8edde0b24614f8392a89959a02b2ee08042350eebfc928d574af21ff94b63a955dce530e4401c27e53d16b7d414c392dcd101d567b4b72976d307bac6848f574c4a1d6085be31c185b69cdd07ea0cfe014548eae829bc0a9a07aa46371dfbd30208a3d20573a2f5f0ca80b776ca1954e63027959c5df1ecbd77a70f42713a450d51a79e0c3f50eb12f0f966db2cf30273fb8bbf1956729b17fd34da59d5e6d51089207d92be635c406f66531589a15f0b5
# chmod 644 /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
(no output, file don't have any xattrs)

-- 
Best regards,
Mikhail Kurinnoi