Menu
▾
▴
Re: [Linux-ima-user] [PATCH] evm: add exceptions for inodes without getxattr() support.
|
From: Mimi Z. <zo...@li...> - 2017-01-03 13:13:56
|
On Fri, 2016-12-30 at 19:01 +0300, Mikhail Kurinnoi wrote: > В Fri, 30 Dec 2016 08:15:31 -0500 > Mimi Zohar <zo...@li...> пишет: > > > On Thu, 2016-12-29 at 23:56 +0300, Mikhail Kurinnoi wrote: > > > > > > On Fedora, "touch" creates the selinux label, which results in an > > > > EVM label as well. Everything works as expected. > > > > > > > > > I don't use SELinux, with "dont_appraise" policy "touch" don't > > > creates any xattrs that should be protected. And, since I see > > > -EOPNOTSUPP error from getxattr(), this mean ->list, ->get, and > > > ->set xattr handler operations removed in inode and I have disabled > > > xattr support in inode. Have no idea why it's so, this is probably > > > some kind of xattrs related work issue. >From your test below, you are able to write security.foo. So, the setxattr/getxattr ops are valid. This sounds like commit "c68ed80c97d9 ima: limit file hash setting by user to fix and log modes" is preventing writing security.ima hashes. We've just reverted this patch during the lastest open window. Writing a file signature as security.ima should work. > > It's kind of irrelevant, but I'd like to know why it isn't working. > > Are you running these tests in a VM or container? (If in a > > container, what type of container?) > > I am testing on hardware directly and don't use containers. > > > > > I tested "security.foo" xattr, but this is not working. Looks like > > > this work only with xattrs that should be protected by EVM. > > > > By "not working", what do you mean? Are you able to write the > > security.foo xattr? > > Let me fix this misunderstanding by tests. > Test with default code: > > # touch /var/tmp/test > # getfattr -m . -d -e hex /var/tmp/test > (no output, file don't have any xattrs) > # setfattr -n security.foo -v "123" /var/tmp/test Right, the ops exist. > # getfattr -m . -d -e hex /var/tmp/test > getfattr: Removing leading '/' from absolute path names > # file: var/tmp/test > security.foo=0x313233 > # chmod 666 /var/tmp/test > chmod: changing permissions of '/var/tmp/test': Operation not permitted All files in the IMA appraise policy require an IMA hash or signature. With the "ima_appraise_policy", all files owned by root must be appraised either based on the file hash or file signature. Other policies might require file signatures. Mimi > # getfattr -m . -d -e hex /var/tmp/test > getfattr: Removing leading '/' from absolute path names > # file: var/tmp/test > security.foo=0x313233 > > audit syslog output: > pid=17259 uid=0 auid=1000 ses=3 op="appraise_metadata" cause="fail" comm="chmod" name="test" fowner=0 dev="dm-2" ino=18 res=0 > > > Test with "security.foo" added into evm_config_xattrnames[] and evm_protect_xattr() corrected: > if (strcmp(xattr_name, "security.foo") == 0) > return 0; > (yes, a little bit tricky, but I need xattr protected by EVM that I permitted to add). > > # touch /var/tmp/test > # getfattr -m . -d -e hex /var/tmp/test > (no output, file don't have any xattrs) > # setfattr -n security.foo -v "123" /var/tmp/test > # getfattr -m . -d -e hex /var/tmp/test > getfattr: Removing leading '/' from absolute path names > # file: var/tmp/test > security.evm=0x023515cb04bd7868d4cc10e04c90f80297acbb33c2 > security.foo=0x313233 > # chmod 666 /var/tmp/test > # ls -l /var/tmp/test > -rw-rw-rw- 1 root root 0 Dec 30 17:25 /var/tmp/test > # getfattr -m . -d -e hex /var/tmp/test > getfattr: Removing leading '/' from absolute path names > # file: var/tmp/test > security.evm=0x023522bf071da41b6c7ddf74098f55f1b1df2ae768 > security.foo=0x313233 > > > Tests, after my patch applied (default evm_config_xattrnames[]), as some kind of confirmation, that evm_verify_hmac() return INTEGRITY_UNKNOWN error, in case of evm_verify_hmac() this mean we have some xattrs support issue in inode/FS (as you understand, this patch don't fix the initial issue in any way, I add this test in order to provide you as much information as I can). > > # touch /var/tmp/test > # getfattr -m . -d -e hex /var/tmp/test > (no output, file don't have any xattrs) > # setfattr -n security.foo -v "123" /var/tmp/test > # getfattr -m . -d -e hex /var/tmp/test > getfattr: Removing leading '/' from absolute path names > # file: var/tmp/test > security.foo=0x313233 > # chmod 666 /var/tmp/test > # ls -l /var/tmp/test > -rw-rw-rw- 1 root root 0 Dec 30 17:57 /var/tmp/test > # getfattr -m . -d -e hex /var/tmp/test > getfattr: Removing leading '/' from absolute path names > # file: var/tmp/test > security.foo=0x313233 > > |
