On Wed, Mar 21, 2012 at 8:54 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > Based on xattr_permission comments, the restriction to modify 'security' > xattr is left up to the underlying fs or lsm. Ensure that not just anyone > can modify or remove 'security.ima'. > > Changelog v1: > - Unless IMA-APPRAISE is configured, use stub ima_inode_removexattr()/setxattr() > functions. (Moved ima_inode_removexattr()/setxattr() to ima_appraise.c) > > Changelog: > - take i_mutex to fix locking (Dmitry Kasatkin) > - ima_reset_appraise_flags should only be called when modifying or > removing the 'security.ima' xattr. Requires CAP_SYS_ADMIN privilege. > (Incorporated fix from Roberto Sassu) > - Even if allowed to update security.ima, reset the appraisal flags, > forcing re-appraisal. > - Replace CAP_MAC_ADMIN with CAP_SYS_ADMIN > - static inline ima_inode_setxattr()/ima_inode_removexattr() stubs > - ima_protect_xattr should be static > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx> > --- > include/linux/ima.h | 17 ++++++++++ > security/integrity/ima/ima_appraise.c | 57 +++++++++++++++++++++++++++++++++ > security/security.c | 6 +++ > 3 files changed, 80 insertions(+), 0 deletions(-) > > diff --git a/include/linux/ima.h b/include/linux/ima.h > index e2bfbb1..2c7223d 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -44,10 +44,27 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot) > > #ifdef CONFIG_IMA_APPRAISE > extern void ima_inode_post_setattr(struct dentry *dentry); > +extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, > + const void *xattr_value, size_t xattr_value_len); > +extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name); > #else > static inline void ima_inode_post_setattr(struct dentry *dentry) > { > return; > } > + > +static inline int ima_inode_setxattr(struct dentry *dentry, > + const char *xattr_name, > + const void *xattr_value, > + size_t xattr_value_len) > +{ > + return 0; > +} > + > +static inline int ima_inode_removexattr(struct dentry *dentry, > + const char *xattr_name) > +{ > + return 0; > +} > #endif /* CONFIG_IMA_APPRAISE_H */ > #endif /* _LINUX_IMA_H */ > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > index 681cb6e..becc7e0 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -169,3 +169,60 @@ void ima_inode_post_setattr(struct dentry *dentry) > rc = inode->i_op->removexattr(dentry, XATTR_NAME_IMA); > return; > } > + > +/* > + * ima_protect_xattr - protect 'security.ima' > + * > + * Ensure that not just anyone can modify or remove 'security.ima'. > + */ > +static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, > + const void *xattr_value, size_t xattr_value_len) > +{ > + if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) { > + if (!capable(CAP_SYS_ADMIN)) > + return -EPERM; > + return 1; > + } > + return 0; > +} > + > +static void ima_reset_appraise_flags(struct inode *inode) > +{ > + struct integrity_iint_cache *iint; > + > + if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)) > + return; > + > + iint = integrity_iint_find(inode); > + if (!iint) > + return; > + > + iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED); > + return; > +} > + > +int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, > + const void *xattr_value, size_t xattr_value_len) > +{ > + int result; > + > + result = ima_protect_xattr(dentry, xattr_name, xattr_value, > + xattr_value_len); > + if (result == 1) { > + ima_reset_appraise_flags(dentry->d_inode); > + result = 0; > + } > + return result; > +} > + > +int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) > +{ > + int result; > + > + result = ima_protect_xattr(dentry, xattr_name, NULL, 0); > + if (result == 1) { > + ima_reset_appraise_flags(dentry->d_inode); > + result = 0; > + } > + return result; > +} > diff --git a/security/security.c b/security/security.c > index e50bbf4..7bb127e 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -557,6 +557,9 @@ int security_inode_setxattr(struct dentry *dentry, const char *name, > ret = security_ops->inode_setxattr(dentry, name, value, size, flags); > if (ret) > return ret; > + ret = ima_inode_setxattr(dentry, name, value, size); > + if (ret) > + return ret; > return evm_inode_setxattr(dentry, name, value, size); > } > > @@ -592,6 +595,9 @@ int security_inode_removexattr(struct dentry *dentry, const char *name) > ret = security_ops->inode_removexattr(dentry, name); > if (ret) > return ret; > + ret = ima_inode_removexattr(dentry, name); > + if (ret) > + return ret; > return evm_inode_removexattr(dentry, name); > } > > -- > 1.7.6.5 > -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html