* [PATCH 0/1] ima: check control characters in policy path
@ 2021-08-14 8:13 Tianxing Zhang
2021-08-14 12:47 ` James Bottomley
0 siblings, 1 reply; 2+ messages in thread
From: Tianxing Zhang @ 2021-08-14 8:13 UTC (permalink / raw)
To: zohar; +Cc: linux-integrity, linux-security-module, linux-kernel,
Tianxing Zhang
Hi,
IMA policy can be updated with /sys/kernel/security/ima/policy interface when
CONFIG_IMA_WRITE_POLICY is set. However, kernel does not check the file path
carefully. It only checks if the path has '/' prefix.
When a policy file path contains control characters like '\r' or '\b',
invalid error messages can be printed to overwrite system messages.
For example:
$ echo -e "/\rtest invalid path: ddddddddddddddddddddd" > /sys/kernel/security/ima/policy
$ dmesg
test invalid path: ddddddddddddddddddddd (-2)
After adding this patch, we'll be able to throw out error message:
$ echo -e "/\rtest invalid path: ddddddddddddddddddddd" > /sys/kernel/security/ima/policy
-bash: echo: write error: Invalid argument
$ dmesg
[ 11.684004] ima: invalid path (control characters are not allowed)
[ 11.684071] ima: policy update failed
Any suggestions would be appreciated, thank you.
Tianxing Zhang (1):
ima: check control characters in policy file path
security/integrity/ima/ima_fs.c | 9 +++++++++
1 file changed, 9 insertions(+)
--
2.25.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH 0/1] ima: check control characters in policy path
2021-08-14 8:13 [PATCH 0/1] ima: check control characters in policy path Tianxing Zhang
@ 2021-08-14 12:47 ` James Bottomley
0 siblings, 0 replies; 2+ messages in thread
From: James Bottomley @ 2021-08-14 12:47 UTC (permalink / raw)
To: Tianxing Zhang, zohar
Cc: linux-integrity, linux-security-module, linux-kernel
On Sat, 2021-08-14 at 16:13 +0800, Tianxing Zhang wrote:
> Hi,
>
> IMA policy can be updated with /sys/kernel/security/ima/policy
> interface when CONFIG_IMA_WRITE_POLICY is set. However, kernel does
> not check the file path carefully. It only checks if the path has '/'
> prefix.
>
> When a policy file path contains control characters like '\r' or
> '\b', invalid error messages can be printed to overwrite system
> messages.
This doesn't sound like a good idea: filesystems accept control
characters in names, so the IMA file policy has to be able to specify
them. We can debate whether filesystems should do this, but while they
do IMA has to as well.
> For example:
>
> $ echo -e "/\rtest invalid path: ddddddddddddddddddddd" >
> /sys/kernel/security/ima/policy
> $ dmesg
> test invalid path: ddddddddddddddddddddd (-2)
>
> After adding this patch, we'll be able to throw out error message:
>
> $ echo -e "/\rtest invalid path: ddddddddddddddddddddd" >
> /sys/kernel/security/ima/policy
> -bash: echo: write error: Invalid argument
> $ dmesg
> [ 11.684004] ima: invalid path (control characters are not allowed)
> [ 11.684071] ima: policy update failed
>
> Any suggestions would be appreciated, thank you.
I don't quite understand what you think the problem is. Only root can
write IMA policies so no-one other than a legitimate administrator can
use bogus paths like the above. If the problem is producing a bogus
log message, we do have several IMA messages that print out
measured/appraised file names ... they would be vulnerable to this
since a generic user could have created them with control character
containg file names, and your proposed patch wouldn't fix that.
Wouldn't a better solution be to have a file name print that expands
the unprintable characters?
James
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-14 12:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-14 8:13 [PATCH 0/1] ima: check control characters in policy path Tianxing Zhang
2021-08-14 12:47 ` James Bottomley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox