From: Mimi Zohar <zohar@linux.ibm.com>
To: Vitaly Chikunov <vt@altlinux.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH v2 3/7] ima-evm-utils: Define the '--xattr-user' option for testing
Date: Fri, 30 Nov 2018 14:20:53 -0500 [thread overview]
Message-ID: <1543605653.4216.69.camel@linux.ibm.com> (raw)
In-Reply-To: <20181128200610.21214-3-vt@altlinux.org>
On Wed, 2018-11-28 at 23:06 +0300, Vitaly Chikunov wrote:
> The IMA/EVM attributes are currently stored in the "security" namespace,
> which requires root privileges. Storing the ima/evm attributes in the
> "user" namespace, instead of the "security" namespace, would be useful
> for debugging and testing purposes, and because "--sigfile" does not
> work for evm signatures.
>
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
> Changes since v1:
> - No code changes. Only the description is reworded.
>
> src/evmctl.c | 32 ++++++++++++++++++++------------
> src/libimaevm.c | 2 +-
> 2 files changed, 21 insertions(+), 13 deletions(-)
Missing is the manpage change, which is created based on the README.
Perhaps it is in a later patch.
Mimi
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index f53c684..9cbc2cb 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -145,6 +145,9 @@ static int find(const char *path, int dts, find_cb_t func);
> struct command cmds[];
> static void print_usage(struct command *cmd);
>
> +static const char *xattr_ima = "security.ima";
> +static const char *xattr_evm = "security.evm";
> +
> static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
> {
> FILE *fp;
> @@ -533,7 +536,7 @@ static int sign_evm(const char *file, const char *key)
> dump(sig, len);
>
> if (xattr) {
> - err = lsetxattr(file, "security.evm", sig, len, 0);
> + err = lsetxattr(file, xattr_evm, sig, len, 0);
> if (err < 0) {
> log_err("setxattr failed: %s\n", file);
> return err;
> @@ -572,7 +575,7 @@ static int hash_ima(const char *file)
> dump(hash, len);
>
> if (xattr) {
> - err = lsetxattr(file, "security.ima", hash, len, 0);
> + err = lsetxattr(file, xattr_ima, hash, len, 0);
> if (err < 0) {
> log_err("setxattr failed: %s\n", file);
> return err;
> @@ -609,7 +612,7 @@ static int sign_ima(const char *file, const char *key)
> bin2file(file, "sig", sig, len);
>
> if (xattr) {
> - err = lsetxattr(file, "security.ima", sig, len, 0);
> + err = lsetxattr(file, xattr_ima, sig, len, 0);
> if (err < 0) {
> log_err("setxattr failed: %s\n", file);
> return err;
> @@ -778,14 +781,14 @@ static int verify_evm(const char *file)
> if (mdlen <= 1)
> return mdlen;
>
> - len = lgetxattr(file, "security.evm", sig, sizeof(sig));
> + len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
> if (len < 0) {
> log_err("getxattr failed: %s\n", file);
> return len;
> }
>
> if (sig[0] != 0x03) {
> - log_err("security.evm has no signature\n");
> + log_err("%s has no signature\n", xattr_evm);
> return -1;
> }
>
> @@ -821,7 +824,7 @@ static int verify_ima(const char *file)
> memcpy(sig, tmp, len);
> free(tmp);
> } else {
> - len = lgetxattr(file, "security.ima", sig, sizeof(sig));
> + len = lgetxattr(file, xattr_ima, sig, sizeof(sig));
> if (len < 0) {
> log_err("getxattr failed: %s\n", file);
> return len;
> @@ -964,7 +967,7 @@ static int setxattr_ima(const char *file, char *sig_file)
> if (!sig)
> return 0;
>
> - err = lsetxattr(file, "security.ima", sig, len, 0);
> + err = lsetxattr(file, xattr_ima, sig, len, 0);
> if (err < 0)
> log_err("setxattr failed: %s\n", file);
> free(sig);
> @@ -1162,7 +1165,7 @@ static int hmac_evm(const char *file, const char *key)
>
> if (xattr) {
> sig[0] = EVM_XATTR_HMAC;
> - err = lsetxattr(file, "security.evm", sig, len + 1, 0);
> + err = lsetxattr(file, xattr_evm, sig, len + 1, 0);
> if (err < 0) {
> log_err("setxattr failed: %s\n", file);
> return err;
> @@ -1218,9 +1221,9 @@ static int ima_fix(const char *path)
> }
> for (; size > 0; len++, size -= len, list += len) {
> len = strlen(list);
> - if (!strcmp(list, "security.ima"))
> + if (!strcmp(list, xattr_ima))
> ima = 1;
> - else if (!strcmp(list, "security.evm"))
> + else if (!strcmp(list, xattr_evm))
> evm = 1;
> }
> if (ima && evm)
> @@ -1297,8 +1300,8 @@ static int cmd_ima_fix(struct command *cmd)
> static int ima_clear(const char *path)
> {
> log_info("%s\n", path);
> - lremovexattr(path, "security.ima");
> - lremovexattr(path, "security.evm");
> + lremovexattr(path, xattr_ima);
> + lremovexattr(path, xattr_evm);
>
> return 0;
> }
> @@ -1728,6 +1731,7 @@ static struct option opts[] = {
> {"selinux", 1, 0, 136},
> {"caps", 2, 0, 137},
> {"list", 0, 0, 138},
> + {"xattr-user", 0, 0, 140},
> {}
>
> };
> @@ -1879,6 +1883,10 @@ int main(int argc, char *argv[])
> case 138:
> measurement_list = 1;
> break;
> + case 140: /* --xattr-user */
> + xattr_ima = "user.ima";
> + xattr_evm = "user.evm";
> + break;
> case '?':
> exit(1);
> break;
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 80b61a2..34501ca 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -595,7 +595,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
> int hashlen, sig_hash_algo;
>
> if (sig[0] != 0x03) {
> - log_err("security.ima has no signature\n");
> + log_err("xattr ima has no signature\n");
> return -1;
> }
>
next prev parent reply other threads:[~2018-11-30 19:21 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-28 20:06 [PATCH v2 1/7] ima-evm-utils: Fix hash buffer overflow in verify_evm and hmac_evm Vitaly Chikunov
2018-11-28 20:06 ` [PATCH v2 2/7] ima-evm-utils: Define hash and sig buffer sizes and add asserts Vitaly Chikunov
2018-11-30 19:21 ` Mimi Zohar
2018-11-28 20:06 ` [PATCH v2 3/7] ima-evm-utils: Define the '--xattr-user' option for testing Vitaly Chikunov
2018-11-30 19:20 ` Mimi Zohar [this message]
2018-11-28 20:06 ` [PATCH v2 4/7] ima-evm-utils: Allow using Streebog hash function Vitaly Chikunov
2018-11-30 19:21 ` Mimi Zohar
2018-11-28 20:06 ` [PATCH v2 5/7] ima-evm-utils: Preload OpenSSL engine via '--engine' option Vitaly Chikunov
2018-11-30 19:21 ` Mimi Zohar
2018-12-01 3:01 ` Vitaly Chikunov
2018-12-02 14:47 ` Mimi Zohar
2018-11-28 20:06 ` [PATCH v2 6/7] ima-evm-utils: Extract digest algorithms from hash_info.h Vitaly Chikunov
2018-11-28 20:06 ` [PATCH v2 7/7] ima-evm-utils: Try to load digest by its alias Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1543605653.4216.69.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=vt@altlinux.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).