Menu
▾
▴
Re: [Linux-ima-user] [PATCH] evm: add exceptions for inodes without getxattr() support.
|
From: Mimi Z. <zo...@li...> - 2017-01-03 23:42:50
|
On Tue, 2017-01-03 at 21:03 +0300, Mikhail Kurinnoi wrote: > В Tue, 03 Jan 2017 08:13:42 -0500 > Mimi Zohar <zo...@li...> пишет: > > > Let me fix this misunderstanding by tests. > > > Test with default code: > > > > > > # touch /var/tmp/test > > > # getfattr -m . -d -e hex /var/tmp/test > > > (no output, file don't have any xattrs) > > > # setfattr -n security.foo -v "123" /var/tmp/test > > > > Right, the ops exist. > > > > > # getfattr -m . -d -e hex /var/tmp/test > > > getfattr: Removing leading '/' from absolute path names > > > # file: var/tmp/test > > > security.foo=0x313233 > > > # chmod 666 /var/tmp/test > > > chmod: changing permissions of '/var/tmp/test': Operation not > > > permitted > > > > All files in the IMA appraise policy require an IMA hash or signature. > > With the "ima_appraise_policy", all files owned by root must be > > appraised either based on the file hash or file signature. Other > > policies might require file signatures. > > > I think the issue also related to evm_calc_hmac_or_hash(). > Before cycle, we set error to -ENODATA. In the same time, if we don't > have any xattrs for protection, error will never changed from -ENODATA > to 0. So, we will return -ENODATA error into evm_update_evmxattr(). In > this case, evm_update_evmxattr() will not protect uid/gid/mode by > security.evm, but remove security.evm instead, if it's available. For files not in policy (there aren't any xattrs), I was able to do the chmod without problems. # touch /var/tmp/test # getfattr -m ^security -e hex --dump /var/tmp/test # chmod 666 /var/tmp/test # getfattr -m ^security -e hex --dump /var/tmp/test # ls -lat /var/tmp/test -rw-rw-rw- 1 root root 0 Jan 3 18:16 /var/tmp/test We've already shown that you can write security xattrs (security.foo). So it isn't an issue that the xattr ops don't exist. Why isn't it returning INTEGRITY_NOXATTRS? Mimi > Probably, we should protect uid/gid/mode even if we don't have xattrs > for protection. In this case all files will have security.evm xattr. |
