Message ID | 20210621122912.1472470-1-roberto.sassu@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v2] evm: Check xattr size discrepancy between kernel and user | expand |
On Mon, 2021-06-21 at 14:29 +0200, Roberto Sassu wrote: > The kernel and the user obtain an xattr value in two different ways: > > kernel (EVM): uses vfs_getxattr_alloc() which obtains the xattr value from > the filesystem handler (raw value); > > user (ima-evm-utils): uses vfs_getxattr() which obtains the xattr value > from the LSMs (normalized value). > > Normally, this does not have an impact unless security.selinux is set with > setfattr, with a value not terminated by '\0' (this is not the recommended > way, security.selinux should be set with the appropriate tools such as > chcon and restorecon). > > In this case, the kernel and the user see two different xattr values: the > former sees the xattr value without '\0' (raw value), the latter sees the > value with '\0' (value normalized by SELinux). > > This could result in two different verification outcomes from EVM and > ima-evm-utils, if a signature was calculated with a security.selinux value > terminated by '\0' and the value set in the filesystem is not terminated by > '\0'. The former would report verification failure due to the missing '\0', > while the latter would report verification success (because it gets the > normalized value with '\0'). > > This patch mitigates this issue by comparing in evm_calc_hmac_or_hash() the > size of the xattr returned by the two xattr functions and by warning the > user if there is a discrepancy. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Thanks, Roberto. Applied to: git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux- integrity.git next-integrity-testing branch. Mimi
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 96b22f2ac27a..462c5258322a 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -221,7 +221,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, size_t xattr_size = 0; char *xattr_value = NULL; int error; - int size; + int size, user_space_size; bool ima_present = false; if (!(inode->i_opflags & IOP_XATTR) || @@ -276,6 +276,12 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, if (size < 0) continue; + user_space_size = vfs_getxattr(&init_user_ns, dentry, + xattr->name, NULL, 0); + if (user_space_size != size) + pr_debug("file %s: xattr %s size mismatch (kernel: %d, user: %d)\n", + dentry->d_name.name, xattr->name, size, + user_space_size); error = 0; xattr_size = size; crypto_shash_update(desc, (const u8 *)xattr_value, xattr_size);
The kernel and the user obtain an xattr value in two different ways: kernel (EVM): uses vfs_getxattr_alloc() which obtains the xattr value from the filesystem handler (raw value); user (ima-evm-utils): uses vfs_getxattr() which obtains the xattr value from the LSMs (normalized value). Normally, this does not have an impact unless security.selinux is set with setfattr, with a value not terminated by '\0' (this is not the recommended way, security.selinux should be set with the appropriate tools such as chcon and restorecon). In this case, the kernel and the user see two different xattr values: the former sees the xattr value without '\0' (raw value), the latter sees the value with '\0' (value normalized by SELinux). This could result in two different verification outcomes from EVM and ima-evm-utils, if a signature was calculated with a security.selinux value terminated by '\0' and the value set in the filesystem is not terminated by '\0'. The former would report verification failure due to the missing '\0', while the latter would report verification success (because it gets the normalized value with '\0'). This patch mitigates this issue by comparing in evm_calc_hmac_or_hash() the size of the xattr returned by the two xattr functions and by warning the user if there is a discrepancy. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/evm/evm_crypto.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)