> -----Original Message----- > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > Sent: Friday, April 24, 2020 1:52 AM > To: Roberto Sassu <roberto.sassu@xxxxxxxxxx>; Matthew Garrett > <mjg59@xxxxxxxxxx> > Cc: linux-integrity@xxxxxxxxxxxxxxx; Silviu Vlasceanu > <Silviu.Vlasceanu@xxxxxxxxxx> > Subject: Re: vfs_getxattr_alloc() problem > > [Cc'ing Matthew] > > Hi Roberto, > > On Tue, 2020-04-21 at 10:58 +0000, Roberto Sassu wrote: > > Hi Mimi > > > > I found a problem in the calculation of the EVM digest. > > > > If an xattr is in the security domain, vfs_getxattr() calls xattr_getsecurity(), > > which is implemented by LSMs. vfs_getxattr_alloc() instead calls directly > > the filesystem function to read xattrs. > > > > The problem arises for example when you have a file with a portable > > signature on the correct SELinux label (with \0) and you set > security.selinux > > manually: > > > > setfattr -n security.selinux -v "system_u:object_r:bin_t:s0" cat > > > > Although the length passed is 26 bytes (without \0), you get: > > > > # attr -l cat > > Attribute "selinux" has a 27 byte value for cat > > > > which includes \0. > > > > From user space, evmctl does not complain (the signature is ok) because > > it calculates the EVM digest with \0, but EVM verification fails (because it > > calculates the digest without \0). > > > > Should this problem be fixed? > > I don't seem to be having any problems verifying the EVM immutable & > portable signatures. To test, I've copied a properly labeled file > twice, once with the "--preserve=xattr" and once without it. I signed > the properly labeled file with the EVM immutable & portable signature. > On the other file, I first set the selinux label before signing it. > If there was a problem manually writing the SELinux label, the > security.evm labels would be different, which they aren't. [root@vm demo]# ls -lZ /bin/cat -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 85520 Apr 24 16:20 /bin/cat [root@vm demo]# evmctl sign -o -a sha256 --imahash --key $PWD/signing_key.pem /bin/cat -v -v hash(sha256): 0404d3d78d8249317ed50056ec7d04da382488f36a6127f4e9161792d97f13e10bc6 name: security.selinux, size: 27 73797374656d5f753a6f626a6563745f723a62696e5f743a733000 no xattr: security.SMACK64 no xattr: security.apparmor name: security.ima, size: 34 0404d3d78d8249317ed50056ec7d04da382488f36a6127f4e9161792d97f13e10bc6 no xattr: security.capability calc_evm_hash:532 hmac_misc (24): 0000000000000000000000000000000000000000ed810000 hash(sha256): 331e36ce1b32374a22e12df28b58d79536c0ee97ba01451bd60343191c073b55 calc_keyid_v2:735 keyid: aecec286 keyid: aecec286 evm/ima signature: 520 bytes ... [root@vm demo]# cat ^C [root@vm demo]# setfattr -n security.selinux -v "system_u:object_r:bin_t:s0" /bin/cat [root@vm demo]# evmctl verify -o -a sha256 --imahash /bin/cat -v -v calc_keyid_v2:735 keyid: aecec286 keyid: aecec286 key 1: aecec286 /etc/keys/x509_evm.der name: security.selinux, size: 27 73797374656d5f753a6f626a6563745f723a62696e5f743a733000 no xattr: security.SMACK64 no xattr: security.apparmor name: security.ima, size: 34 0404d3d78d8249317ed50056ec7d04da382488f36a6127f4e9161792d97f13e10bc6 no xattr: security.capability calc_evm_hash:532 hmac_misc (24): 0000000000000000000000000000000000000000ed810000 hash(sha256): 331e36ce1b32374a22e12df28b58d79536c0ee97ba01451bd60343191c073b55 /bin/cat: verification is OK [root@vm demo]# cat -bash: /usr/bin/cat: Permission denied [root@vm demo]# It fails because the actual xattr in the filesystem is: name: security.selinux, size: 26 73797374656d5f753a6f626a6563745f723a62696e5f743a7330 Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli
