lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <wwcnoevou44eoe3ner4oegtdsdg46tlvwidu3ynobs7huac7ae@ljivg5ksohxv>
Date: Wed, 10 Sep 2025 09:36:50 +0800
From: Coiby Xu <coxu@...hat.com>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: linux-integrity@...r.kernel.org, 
	Roberto Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, 
	Eric Snowberg <eric.snowberg@...cle.com>, Paul Moore <paul@...l-moore.com>, 
	James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, 
	"open list:SECURITY SUBSYSTEM" <linux-security-module@...r.kernel.org>, open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ima: don't clear IMA_DIGSIG flag when setting non-IMA
 xattr

On Mon, Sep 08, 2025 at 04:58:05PM -0400, Mimi Zohar wrote:
>On Mon, 2025-09-08 at 10:53 -0400, Mimi Zohar wrote:
>> Hi Coiby,
>>
>> On Mon, 2025-09-08 at 19:12 +0800, Coiby Xu wrote:
>> > >
>> > > Even without an IMA appraise policy, the security xattrs are written out to the
>> > > filesystem, but the IMA_DIGSIG flag is not cached.
>> >
>> > It seems I miss some context for the above sentence. If no IMA policy is
>> > configured, no ima_iint_cache will be created. If you mean non-appraisal
>> > policy, will not caching IMA_DIGSIG flag cause any problem?
>>
>> Sorry.  What I was trying to say is that your test program illustrates the
>> problem both with or without any of the boot command line options as you
>> suggested - "ima_appraise=fix evm=fix ima_policy=appraise_tcb".  Writing some
>> other security xattr is a generic problem, whether the file is in policy or not,
>> whether IMA or EVM are in fix mode or not.  The rpm-plugin-ima should install
>> the IMA signature regardless.
>
>My mistake.  An appraise policy indeed needs to be defined for the file
>signature to be replaced with a file hash.

Thanks for the clarification! rpm-plugin-ima does try to install IMA
signature as shown from the following strace output,

     # strace rpm --reinstall ip*.rpm
     openat(11, "lnstat;68aee3f4", O_WRONLY|O_CREAT|O_EXCL, 0200) = 12
     dup(12)                                 = 13
     write(13, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0'\0\0\0\0\0\0"..., 19256) = 19256
     close(13)                               = 0
     getuid()                                = 0
     fchown(12, 0, 0)                        = 0
     fchmod(12, 0755)                        = 0
     getuid()                                = 0
     utimensat(12, NULL, [{tv_sec=1734480000, tv_nsec=0} /* 2024-12-17T19:00:00-0500 */, {tv_sec=1734480000, tv_nsec=0} /* 2024-12-17T19:00:00-0500 */], 0) = 0
     fsetxattr(12, "security.ima", "\3\2\4\3232\4I\0f0d\0020O\231\341q\323Q\322\235\341\7\323\224\205\2104\24\241\331#"..., 111, 0) = 0
     fsetxattr(12, "security.selinux", "system_u:object_r:bin_t:s0", 27, 0) = 0
     close(12)                               = 0

But after rpm-plugin-selinux sets security.selinux, the IMA
signature get cleared and is replaced with IMA hash.

>
>>
>> SELinux doesn't usually re-write the security.selinux xattr, so the problem is
>> hard to reproduce after installing the rpm-plugin-ima with "dnf reinstall
>> <package>".

Since rpm-plugin-selinux will write security.selinux for a newly
installed file, so this issue can be easily reproduced. If you want to
reproduce this issue by yourself, here are the steps to reproduce this
issue on Fedora,
1. Turn off secure boot and boot the kernel with 
    "ima_appraise=fix evm=fix ima_policy=appraise_tcb"
2. dnf install rpm-plugin-ima -y
3. dnf reinstall iproute -y
4. Run "getfattr -m - -d -e hex /usr/sbin/ip" to check if /usr/sbin/ip has IMA signature set

And my attached C reproducer is to extract the essence of what
rpm-plugin-ima does so it can be a minimal reproducer and also to
illustrate what the problem is.

>>
>> thanks,
>>
>> Mimi
>>
>

-- 
Best regards,
Coiby


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ