Keep ima/evm attributes in user namespace instead of security namespace. Would be useful for testing purposes without having root privileges, easier to understand, and because --sigfile does not work for evm signatures. Signed-off-by: Vitaly Chikunov <vt@xxxxxxxxxxxx> --- src/evmctl.c | 32 ++++++++++++++++++++------------ src/libimaevm.c | 2 +- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 94d7ab1..032ea9d 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -145,6 +145,9 @@ static int find(const char *path, int dts, find_cb_t func); struct command cmds[]; static void print_usage(struct command *cmd); +static const char *xattr_ima = "security.ima"; +static const char *xattr_evm = "security.evm"; + static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) { FILE *fp; @@ -531,7 +534,7 @@ static int sign_evm(const char *file, const char *key) dump(sig, len); if (xattr) { - err = lsetxattr(file, "security.evm", sig, len, 0); + err = lsetxattr(file, xattr_evm, sig, len, 0); if (err < 0) { log_err("setxattr failed: %s\n", file); return err; @@ -569,7 +572,7 @@ static int hash_ima(const char *file) dump(hash, len); if (xattr) { - err = lsetxattr(file, "security.ima", hash, len, 0); + err = lsetxattr(file, xattr_ima, hash, len, 0); if (err < 0) { log_err("setxattr failed: %s\n", file); return err; @@ -604,7 +607,7 @@ static int sign_ima(const char *file, const char *key) bin2file(file, "sig", sig, len); if (xattr) { - err = lsetxattr(file, "security.ima", sig, len, 0); + err = lsetxattr(file, xattr_ima, sig, len, 0); if (err < 0) { log_err("setxattr failed: %s\n", file); return err; @@ -771,14 +774,14 @@ static int verify_evm(const char *file) if (mdlen <= 1) return mdlen; - len = lgetxattr(file, "security.evm", sig, sizeof(sig)); + len = lgetxattr(file, xattr_evm, sig, sizeof(sig)); if (len < 0) { log_err("getxattr failed: %s\n", file); return len; } if (sig[0] != 0x03) { - log_err("security.evm has no signature\n"); + log_err("%s has no signature\n", xattr_evm); return -1; } @@ -813,7 +816,7 @@ static int verify_ima(const char *file) memcpy(sig, tmp, len); free(tmp); } else { - len = lgetxattr(file, "security.ima", sig, sizeof(sig)); + len = lgetxattr(file, xattr_ima, sig, sizeof(sig)); if (len < 0) { log_err("getxattr failed: %s\n", file); return len; @@ -956,7 +959,7 @@ static int setxattr_ima(const char *file, char *sig_file) if (!sig) return 0; - err = lsetxattr(file, "security.ima", sig, len, 0); + err = lsetxattr(file, xattr_ima, sig, len, 0); if (err < 0) log_err("setxattr failed: %s\n", file); free(sig); @@ -1152,7 +1155,7 @@ static int hmac_evm(const char *file, const char *key) if (xattr) { sig[0] = EVM_XATTR_HMAC; - err = lsetxattr(file, "security.evm", sig, len + 1, 0); + err = lsetxattr(file, xattr_evm, sig, len + 1, 0); if (err < 0) { log_err("setxattr failed: %s\n", file); return err; @@ -1208,9 +1211,9 @@ static int ima_fix(const char *path) } for (; size > 0; len++, size -= len, list += len) { len = strlen(list); - if (!strcmp(list, "security.ima")) + if (!strcmp(list, xattr_ima)) ima = 1; - else if (!strcmp(list, "security.evm")) + else if (!strcmp(list, xattr_evm)) evm = 1; } if (ima && evm) @@ -1287,8 +1290,8 @@ static int cmd_ima_fix(struct command *cmd) static int ima_clear(const char *path) { log_info("%s\n", path); - lremovexattr(path, "security.ima"); - lremovexattr(path, "security.evm"); + lremovexattr(path, xattr_ima); + lremovexattr(path, xattr_evm); return 0; } @@ -1718,6 +1721,7 @@ static struct option opts[] = { {"selinux", 1, 0, 136}, {"caps", 2, 0, 137}, {"list", 0, 0, 138}, + {"xattr-user", 0, 0, 140}, {} }; @@ -1869,6 +1873,10 @@ int main(int argc, char *argv[]) case 138: measurement_list = 1; break; + case 140: /* --xattr-user */ + xattr_ima = "user.ima"; + xattr_evm = "user.evm"; + break; case '?': exit(1); break; diff --git a/src/libimaevm.c b/src/libimaevm.c index 6fa0ed4..714f1ac 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -594,7 +594,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen, int hashlen, sig_hash_algo; if (sig[0] != 0x03) { - log_err("security.ima has no signature\n"); + log_err("xattr ima has no signature\n"); return -1; } -- 2.11.0