> -----Original Message----- > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > Sent: Monday, April 27, 2020 9:20 PM > To: Roberto Sassu <roberto.sassu@xxxxxxxxxx>; Matthew Garrett > <mjg59@xxxxxxxxxx> > Cc: linux-integrity@xxxxxxxxxxxxxxx; Silviu Vlasceanu > <Silviu.Vlasceanu@xxxxxxxxxx> > Subject: Re: vfs_getxattr_alloc() problem > > On Mon, 2020-04-27 at 14:54 -0400, Mimi Zohar wrote: > > On Fri, 2020-04-24 at 14:32 +0000, Roberto Sassu wrote: > > > > Hi Roberto, > > > > > > > > On Tue, 2020-04-21 at 10:58 +0000, Roberto Sassu wrote: > > > > > Hi Mimi > > > > > > > > > > I found a problem in the calculation of the EVM digest. > > > > > > > > > > If an xattr is in the security domain, vfs_getxattr() calls > xattr_getsecurity(), > > > > > which is implemented by LSMs. vfs_getxattr_alloc() instead calls > directly > > > > > the filesystem function to read xattrs. > > > > > > > > > > The problem arises for example when you have a file with a portable > > > > > signature on the correct SELinux label (with \0) and you set > > > > security.selinux > > > > > manually: > > > > > > > > > > setfattr -n security.selinux -v "system_u:object_r:bin_t:s0" cat > > > > > > > > > > Although the length passed is 26 bytes (without \0), you get: > > > > > > > > > > # attr -l cat > > > > > Attribute "selinux" has a 27 byte value for cat > > > > > > > > > > which includes \0. > > > > > > > > > > From user space, evmctl does not complain (the signature is ok) > because > > > > > it calculates the EVM digest with \0, but EVM verification fails > (because it > > > > > calculates the digest without \0). > > > > > > > > > > Should this problem be fixed? > > > > > > > > I don't seem to be having any problems verifying the EVM immutable > & > > > > portable signatures. To test, I've copied a properly labeled file > > > > twice, once with the "--preserve=xattr" and once without it. I signed > > > > the properly labeled file with the EVM immutable & portable signature. > > > > On the other file, I first set the selinux label before signing it. > > > > If there was a problem manually writing the SELinux label, the > > > > security.evm labels would be different, which they aren't. > > > > > > [root@vm demo]# ls -lZ /bin/cat > > > -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 85520 Apr 24 16:20 > /bin/cat > > > [root@vm demo]# evmctl sign -o -a sha256 --imahash --key > $PWD/signing_key.pem /bin/cat -v -v > > > hash(sha256): > 0404d3d78d8249317ed50056ec7d04da382488f36a6127f4e9161792d97f13e10 > bc6 > > > name: security.selinux, size: 27 > > > 73797374656d5f753a6f626a6563745f723a62696e5f743a733000 > > > no xattr: security.SMACK64 > > > no xattr: security.apparmor > > > name: security.ima, size: 34 > > > > 0404d3d78d8249317ed50056ec7d04da382488f36a6127f4e9161792d97f13e10 > bc6 > > > no xattr: security.capability > > > calc_evm_hash:532 hmac_misc (24): > 0000000000000000000000000000000000000000ed810000 > > > hash(sha256): > 331e36ce1b32374a22e12df28b58d79536c0ee97ba01451bd60343191c073b55 > > > calc_keyid_v2:735 keyid: aecec286 > > > keyid: aecec286 > > > evm/ima signature: 520 bytes > > > ... > > > [root@vm demo]# cat > > > ^C > > > [root@vm demo]# setfattr -n security.selinux -v > "system_u:object_r:bin_t:s0" /bin/cat > > > > In the past, when I looked at writing the same SELinux label, there > > was some performance improvement that only updated the label if the > > label actually changed. Unless things have changed since, I don't > > think the same selinux label is rewritten. > > > > > [root@vm demo]# evmctl verify -o -a sha256 --imahash /bin/cat -v -v > > > calc_keyid_v2:735 keyid: aecec286 > > > keyid: aecec286 > > > key 1: aecec286 /etc/keys/x509_evm.der > > > name: security.selinux, size: 27 > > > 73797374656d5f753a6f626a6563745f723a62696e5f743a733000 > > > no xattr: security.SMACK64 > > > no xattr: security.apparmor > > > name: security.ima, size: 34 > > > > 0404d3d78d8249317ed50056ec7d04da382488f36a6127f4e9161792d97f13e10 > bc6 > > > no xattr: security.capability > > > calc_evm_hash:532 hmac_misc (24): > 0000000000000000000000000000000000000000ed810000 > > > hash(sha256): > 331e36ce1b32374a22e12df28b58d79536c0ee97ba01451bd60343191c073b55 > > > /bin/cat: verification is OK > > > [root@vm demo]# cat > > > -bash: /usr/bin/cat: Permission denied > > > [root@vm demo]# > > > > > > It fails because the actual xattr in the filesystem is: > > > > > > name: security.selinux, size: 26 > > > 73797374656d5f753a6f626a6563745f723a62696e5f743a7330 > > > > Looking at security/selinux/hooks.c: I'm seeing a > > comment selinux_inode_setxattr() that says: > > > > /* We strip a nul only if it is at the end, otherwise the > > * context contains a nul and we should audit that */ > > strace shows setxattr is writing 26 bytes: > > setxattr("/bin/cat-test", "security.selinux", > "system_u:object_r:bin_t:s0", 26, 0) = 0 Yes, but SELinux fixes the label and adds \0: static int selinux_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { [...] rc = security_context_to_sid(&selinux_state, value, size, &newsid, GFP_KERNEL); static int security_context_to_sid_core(struct selinux_state *state, const char *scontext, u32 scontext_len, u32 *sid, u32 def_sid, gfp_t gfp_flags, int force) { [...] /* Copy the string to allow changes and ensure a NUL terminator */ scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags); When evmctl reads from user space, the kernel does: ssize_t vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size) { [...] if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN)) { const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; int ret = xattr_getsecurity(inode, suffix, value, size); static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) { [...] error = security_sid_to_context(&selinux_state, isec->sid, &context, &size); evmctl gets the string of 27 bytes with the \0, which is not the content stored in the filesystem but the SELinux translation of the sid. Instead EVM takes a different path: ssize_t vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, size_t xattr_size, gfp_t flags) { [...] error = handler->get(handler, dentry, inode, name, NULL, 0); so, it gets 26 bytes, not 27. This is why permission is denied. Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli
