dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 14:43:37 +02:00
Code Releases Activity

ima-evm-utils: Define the '--xattr-user' option for testing

Browse Source 
The IMA/EVM attributes are currently stored in the "security" namespace,
which requires root privileges. Storing the ima/evm attributes in the
"user" namespace, instead of the "security" namespace, would be useful
for debugging and testing purposes, and because "--sigfile" does not
work for evm signatures.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Vitaly Chikunov 2018-12-03 06:35:21 +03:00 committed by Mimi Zohar
parent 1d9c279279
commit b853b7ba93
3 changed files with 23 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README
View File

@ -44,6 +44,7 @@ OPTIONS
-s, --imasig make IMA signature -s, --imasig make IMA signature
-d, --imahash make IMA hash -d, --imahash make IMA hash
-f, --sigfile store IMA signature in .sig file instead of xattr -f, --sigfile store IMA signature in .sig file instead of xattr
--xattr-user store xattrs in user namespace (for testing purposes)
--rsa use RSA key type and signing scheme v1 --rsa use RSA key type and signing scheme v1
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem) -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
-o, --portable generate portable EVM signatures -o, --portable generate portable EVM signatures

33
src/evmctl.c
View File

@ -145,6 +145,9 @@ static int find(const char *path, int dts, find_cb_t func);
struct command cmds[]; struct command cmds[];
static void print_usage(struct command *cmd); static void print_usage(struct command *cmd);
static const char *xattr_ima = "security.ima";
static const char *xattr_evm = "security.evm";
static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
{ {
FILE *fp; FILE *fp;
@ -533,7 +536,7 @@ static int sign_evm(const char *file, const char *key)
dump(sig, len); dump(sig, len);
if (xattr) { if (xattr) {
err = lsetxattr(file, "security.evm", sig, len, 0); err = lsetxattr(file, xattr_evm, sig, len, 0);
if (err < 0) { if (err < 0) {
log_err("setxattr failed: %s\n", file); log_err("setxattr failed: %s\n", file);
return err; return err;
@ -572,7 +575,7 @@ static int hash_ima(const char *file)
dump(hash, len); dump(hash, len);
if (xattr) { if (xattr) {
err = lsetxattr(file, "security.ima", hash, len, 0); err = lsetxattr(file, xattr_ima, hash, len, 0);
if (err < 0) { if (err < 0) {
log_err("setxattr failed: %s\n", file); log_err("setxattr failed: %s\n", file);
return err; return err;
@ -609,7 +612,7 @@ static int sign_ima(const char *file, const char *key)
bin2file(file, "sig", sig, len); bin2file(file, "sig", sig, len);
if (xattr) { if (xattr) {
err = lsetxattr(file, "security.ima", sig, len, 0); err = lsetxattr(file, xattr_ima, sig, len, 0);
if (err < 0) { if (err < 0) {
log_err("setxattr failed: %s\n", file); log_err("setxattr failed: %s\n", file);
return err; return err;
@ -778,14 +781,14 @@ static int verify_evm(const char *file)
if (mdlen <= 1) if (mdlen <= 1)
return mdlen; return mdlen;
len = lgetxattr(file, "security.evm", sig, sizeof(sig)); len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
if (len < 0) { if (len < 0) {
log_err("getxattr failed: %s\n", file); log_err("getxattr failed: %s\n", file);
return len; return len;
} }
if (sig[0] != 0x03) { if (sig[0] != 0x03) {
log_err("security.evm has no signature\n"); log_err("%s has no signature\n", xattr_evm);
return -1; return -1;
} }
@ -821,7 +824,7 @@ static int verify_ima(const char *file)
memcpy(sig, tmp, len); memcpy(sig, tmp, len);
free(tmp); free(tmp);
} else { } else {
len = lgetxattr(file, "security.ima", sig, sizeof(sig)); len = lgetxattr(file, xattr_ima, sig, sizeof(sig));
if (len < 0) { if (len < 0) {
log_err("getxattr failed: %s\n", file); log_err("getxattr failed: %s\n", file);
return len; return len;
@ -964,7 +967,7 @@ static int setxattr_ima(const char *file, char *sig_file)
if (!sig) if (!sig)
return 0; return 0;
err = lsetxattr(file, "security.ima", sig, len, 0); err = lsetxattr(file, xattr_ima, sig, len, 0);
if (err < 0) if (err < 0)
log_err("setxattr failed: %s\n", file); log_err("setxattr failed: %s\n", file);
free(sig); free(sig);
@ -1162,7 +1165,7 @@ static int hmac_evm(const char *file, const char *key)
if (xattr) { if (xattr) {
sig[0] = EVM_XATTR_HMAC; sig[0] = EVM_XATTR_HMAC;
err = lsetxattr(file, "security.evm", sig, len + 1, 0); err = lsetxattr(file, xattr_evm, sig, len + 1, 0);
if (err < 0) { if (err < 0) {
log_err("setxattr failed: %s\n", file); log_err("setxattr failed: %s\n", file);
return err; return err;
@ -1218,9 +1221,9 @@ static int ima_fix(const char *path)
} }
for (; size > 0; len++, size -= len, list += len) { for (; size > 0; len++, size -= len, list += len) {
len = strlen(list); len = strlen(list);
if (!strcmp(list, "security.ima")) if (!strcmp(list, xattr_ima))
ima = 1; ima = 1;
else if (!strcmp(list, "security.evm")) else if (!strcmp(list, xattr_evm))
evm = 1; evm = 1;
} }
if (ima && evm) if (ima && evm)
@ -1297,8 +1300,8 @@ static int cmd_ima_fix(struct command *cmd)
static int ima_clear(const char *path) static int ima_clear(const char *path)
{ {
log_info("%s\n", path); log_info("%s\n", path);
lremovexattr(path, "security.ima"); lremovexattr(path, xattr_ima);
lremovexattr(path, "security.evm"); lremovexattr(path, xattr_evm);
return 0; return 0;
} }
@ -1654,6 +1657,7 @@ static void usage(void)
" -s, --imasig make IMA signature\n" " -s, --imasig make IMA signature\n"
" -d, --imahash make IMA hash\n" " -d, --imahash make IMA hash\n"
" -f, --sigfile store IMA signature in .sig file instead of xattr\n" " -f, --sigfile store IMA signature in .sig file instead of xattr\n"
" --xattr-user store xattrs in user namespace (for testing purposes)\n"
" --rsa use RSA key type and signing scheme v1\n" " --rsa use RSA key type and signing scheme v1\n"
" -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n" " -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
" -o, --portable generate portable EVM signatures\n" " -o, --portable generate portable EVM signatures\n"
@ -1728,6 +1732,7 @@ static struct option opts[] = {
{"selinux", 1, 0, 136}, {"selinux", 1, 0, 136},
{"caps", 2, 0, 137}, {"caps", 2, 0, 137},
{"list", 0, 0, 138}, {"list", 0, 0, 138},
{"xattr-user", 0, 0, 140},
{} {}
}; };
@ -1879,6 +1884,10 @@ int main(int argc, char *argv[])
case 138: case 138:
measurement_list = 1; measurement_list = 1;
break; break;
case 140: /* --xattr-user */
xattr_ima = "user.ima";
xattr_evm = "user.evm";
break;
case '?': case '?':
exit(1); exit(1);
break; break;

2
src/libimaevm.c
View File

@ -595,7 +595,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
int hashlen, sig_hash_algo; int hashlen, sig_hash_algo;
if (sig[0] != 0x03) { if (sig[0] != 0x03) {
log_err("security.ima has no signature\n"); log_err("xattr ima has no signature\n");
return -1; return -1;
} }