Re: [Linux-ima-user] [PATCH] evm: add exceptions for inodes without getxattr() support.

[Mikhail K. <vie...@vi...>]

В Fri, 30 Dec 2016 08:15:31 -0500
Mimi Zohar <zo...@li...> пишет:

> On Thu, 2016-12-29 at 23:56 +0300, Mikhail Kurinnoi wrote:
> 
> > > On Fedora, "touch" creates the selinux label, which results in an
> > > EVM label as well.  Everything works as expected.  
> > 
> > 
> > I don't use SELinux, with "dont_appraise" policy "touch" don't
> > creates any xattrs that should be protected. And, since I see
> > -EOPNOTSUPP error from getxattr(), this mean ->list, ->get, and
> > ->set xattr handler operations removed in inode and I have disabled
> > xattr support in inode. Have no idea why it's so, this is probably
> > some kind of xattrs related work issue.
> 
> It's kind of irrelevant, but I'd like to know why it isn't working.
> Are you running these tests in a VM or container?  (If in a
> container, what type of container?)

I am testing on hardware directly and don't use containers.


> > I tested "security.foo" xattr, but this is not working. Looks like
> > this work only with xattrs that should be protected by EVM.
> 
> By "not working", what do you mean?  Are you able to write the
> security.foo xattr?

Let me fix this misunderstanding by tests.
Test with default code:

# touch /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
(no output, file don't have any xattrs)
# setfattr -n security.foo -v "123" /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
    getfattr: Removing leading '/' from absolute path names
    # file: var/tmp/test
    security.foo=0x313233
# chmod 666 /var/tmp/test
    chmod: changing permissions of '/var/tmp/test': Operation not permitted
# getfattr -m . -d -e hex /var/tmp/test
    getfattr: Removing leading '/' from absolute path names
    # file: var/tmp/test
    security.foo=0x313233

audit syslog output:
pid=17259 uid=0 auid=1000 ses=3 op="appraise_metadata" cause="fail" comm="chmod" name="test" fowner=0 dev="dm-2" ino=18 res=0


Test with "security.foo" added into evm_config_xattrnames[] and evm_protect_xattr() corrected:
	if (strcmp(xattr_name, "security.foo") == 0)
		return 0;
(yes, a little bit tricky, but I need xattr protected by EVM that I permitted to add).

# touch /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
(no output, file don't have any xattrs)
# setfattr -n security.foo -v "123" /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
    getfattr: Removing leading '/' from absolute path names
    # file: var/tmp/test
    security.evm=0x023515cb04bd7868d4cc10e04c90f80297acbb33c2
    security.foo=0x313233
# chmod 666 /var/tmp/test
# ls -l /var/tmp/test
    -rw-rw-rw- 1 root root 0 Dec 30 17:25 /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
    getfattr: Removing leading '/' from absolute path names
    # file: var/tmp/test
    security.evm=0x023522bf071da41b6c7ddf74098f55f1b1df2ae768
    security.foo=0x313233


Tests, after my patch applied (default evm_config_xattrnames[]), as some kind of confirmation, that evm_verify_hmac() return INTEGRITY_UNKNOWN error, in case of evm_verify_hmac() this mean we have some xattrs support issue in inode/FS (as you understand, this patch don't fix the initial issue in any way, I add this test in order to provide you as much information as I can).

# touch /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
(no output, file don't have any xattrs)
# setfattr -n security.foo -v "123" /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
    getfattr: Removing leading '/' from absolute path names
    # file: var/tmp/test
    security.foo=0x313233
# chmod 666 /var/tmp/test
# ls -l /var/tmp/test
    -rw-rw-rw- 1 root root 0 Dec 30 17:57 /var/tmp/test
# getfattr -m . -d -e hex /var/tmp/test
    getfattr: Removing leading '/' from absolute path names
    # file: var/tmp/test
    security.foo=0x313233


-- 
Best regards,
Mikhail Kurinnoi