From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: [PATCH v3 3/7] ima-evm-utils: Define the '--xattr-user' option for testing
Date: Mon, 3 Dec 2018 06:35:21 +0300 [thread overview]
Message-ID: <20181203033525.20431-3-vt@altlinux.org> (raw)
In-Reply-To: <20181203033525.20431-1-vt@altlinux.org>
The IMA/EVM attributes are currently stored in the "security" namespace,
which requires root privileges. Storing the ima/evm attributes in the
"user" namespace, instead of the "security" namespace, would be useful
for debugging and testing purposes, and because "--sigfile" does not
work for evm signatures.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
Changes since v1:
- No code changes. Only the description is reworded.
Changes since v2:
- Update README.
README | 1 +
src/evmctl.c | 33 +++++++++++++++++++++------------
src/libimaevm.c | 2 +-
3 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/README b/README
index 4805564..05cc2ff 100644
--- a/README
+++ b/README
@@ -44,6 +44,7 @@ OPTIONS
-s, --imasig make IMA signature
-d, --imahash make IMA hash
-f, --sigfile store IMA signature in .sig file instead of xattr
+ --xattr-user store xattrs in user namespace (for testing purposes)
--rsa use RSA key type and signing scheme v1
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
-o, --portable generate portable EVM signatures
diff --git a/src/evmctl.c b/src/evmctl.c
index f019a67..f4df027 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -145,6 +145,9 @@ static int find(const char *path, int dts, find_cb_t func);
struct command cmds[];
static void print_usage(struct command *cmd);
+static const char *xattr_ima = "security.ima";
+static const char *xattr_evm = "security.evm";
+
static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
{
FILE *fp;
@@ -533,7 +536,7 @@ static int sign_evm(const char *file, const char *key)
dump(sig, len);
if (xattr) {
- err = lsetxattr(file, "security.evm", sig, len, 0);
+ err = lsetxattr(file, xattr_evm, sig, len, 0);
if (err < 0) {
log_err("setxattr failed: %s\n", file);
return err;
@@ -572,7 +575,7 @@ static int hash_ima(const char *file)
dump(hash, len);
if (xattr) {
- err = lsetxattr(file, "security.ima", hash, len, 0);
+ err = lsetxattr(file, xattr_ima, hash, len, 0);
if (err < 0) {
log_err("setxattr failed: %s\n", file);
return err;
@@ -609,7 +612,7 @@ static int sign_ima(const char *file, const char *key)
bin2file(file, "sig", sig, len);
if (xattr) {
- err = lsetxattr(file, "security.ima", sig, len, 0);
+ err = lsetxattr(file, xattr_ima, sig, len, 0);
if (err < 0) {
log_err("setxattr failed: %s\n", file);
return err;
@@ -778,14 +781,14 @@ static int verify_evm(const char *file)
if (mdlen <= 1)
return mdlen;
- len = lgetxattr(file, "security.evm", sig, sizeof(sig));
+ len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
if (len < 0) {
log_err("getxattr failed: %s\n", file);
return len;
}
if (sig[0] != 0x03) {
- log_err("security.evm has no signature\n");
+ log_err("%s has no signature\n", xattr_evm);
return -1;
}
@@ -821,7 +824,7 @@ static int verify_ima(const char *file)
memcpy(sig, tmp, len);
free(tmp);
} else {
- len = lgetxattr(file, "security.ima", sig, sizeof(sig));
+ len = lgetxattr(file, xattr_ima, sig, sizeof(sig));
if (len < 0) {
log_err("getxattr failed: %s\n", file);
return len;
@@ -964,7 +967,7 @@ static int setxattr_ima(const char *file, char *sig_file)
if (!sig)
return 0;
- err = lsetxattr(file, "security.ima", sig, len, 0);
+ err = lsetxattr(file, xattr_ima, sig, len, 0);
if (err < 0)
log_err("setxattr failed: %s\n", file);
free(sig);
@@ -1162,7 +1165,7 @@ static int hmac_evm(const char *file, const char *key)
if (xattr) {
sig[0] = EVM_XATTR_HMAC;
- err = lsetxattr(file, "security.evm", sig, len + 1, 0);
+ err = lsetxattr(file, xattr_evm, sig, len + 1, 0);
if (err < 0) {
log_err("setxattr failed: %s\n", file);
return err;
@@ -1218,9 +1221,9 @@ static int ima_fix(const char *path)
}
for (; size > 0; len++, size -= len, list += len) {
len = strlen(list);
- if (!strcmp(list, "security.ima"))
+ if (!strcmp(list, xattr_ima))
ima = 1;
- else if (!strcmp(list, "security.evm"))
+ else if (!strcmp(list, xattr_evm))
evm = 1;
}
if (ima && evm)
@@ -1297,8 +1300,8 @@ static int cmd_ima_fix(struct command *cmd)
static int ima_clear(const char *path)
{
log_info("%s\n", path);
- lremovexattr(path, "security.ima");
- lremovexattr(path, "security.evm");
+ lremovexattr(path, xattr_ima);
+ lremovexattr(path, xattr_evm);
return 0;
}
@@ -1654,6 +1657,7 @@ static void usage(void)
" -s, --imasig make IMA signature\n"
" -d, --imahash make IMA hash\n"
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
+ " --xattr-user store xattrs in user namespace (for testing purposes)\n"
" --rsa use RSA key type and signing scheme v1\n"
" -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
" -o, --portable generate portable EVM signatures\n"
@@ -1728,6 +1732,7 @@ static struct option opts[] = {
{"selinux", 1, 0, 136},
{"caps", 2, 0, 137},
{"list", 0, 0, 138},
+ {"xattr-user", 0, 0, 140},
{}
};
@@ -1879,6 +1884,10 @@ int main(int argc, char *argv[])
case 138:
measurement_list = 1;
break;
+ case 140: /* --xattr-user */
+ xattr_ima = "user.ima";
+ xattr_evm = "user.evm";
+ break;
case '?':
exit(1);
break;
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 80b61a2..34501ca 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -595,7 +595,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
int hashlen, sig_hash_algo;
if (sig[0] != 0x03) {
- log_err("security.ima has no signature\n");
+ log_err("xattr ima has no signature\n");
return -1;
}
--
2.11.0
next prev parent reply other threads:[~2018-12-03 3:35 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-03 3:35 [PATCH v3 1/7] ima-evm-utils: Fix hash buffer overflow in verify_evm and hmac_evm Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 2/7] ima-evm-utils: Define hash and sig buffer sizes and add asserts Vitaly Chikunov
2018-12-03 3:35 ` Vitaly Chikunov [this message]
2018-12-03 3:35 ` [PATCH v3 4/7] ima-evm-utils: Allow using Streebog hash function Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 5/7] ima-evm-utils: Preload OpenSSL engine via '--engine' option Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 6/7] ima-evm-utils: Extract digest algorithms from hash_info.h Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 7/7] ima-evm-utils: Try to load digest by its alias Vitaly Chikunov
2019-02-11 17:38 ` Mimi Zohar
2019-02-11 17:52 ` Vitaly Chikunov
2019-02-11 17:59 ` Mimi Zohar
2019-02-11 18:13 ` Vitaly Chikunov
2019-02-11 18:21 ` Vitaly Chikunov
2019-02-11 19:26 ` Vitaly Chikunov
2019-02-11 20:21 ` Mimi Zohar
2019-02-11 20:37 ` Vitaly Chikunov
2019-02-12 15:41 ` Mimi Zohar
2019-02-12 17:07 ` Vitaly Chikunov
2018-12-03 13:03 ` [PATCH v3 1/7] ima-evm-utils: Fix hash buffer overflow in verify_evm and hmac_evm Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181203033525.20431-3-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.