[PATCH v3 0/2] ima/evm fixes for v5.2

Roberto Sassu roberto.sassu at huawei.com
Thu Jun 13 08:51:58 UTC 2019


On 6/13/2019 10:04 AM, Janne Karhunen wrote:
> On Thu, Jun 13, 2019 at 10:50 AM Roberto Sassu <roberto.sassu at huawei.com> wrote:
> 
>>> Would the appraise actually need any changes, just keep the
>>> IMA_NEW_FILE in ima_check_last_writer()? Of course it's not that easy
>>> (it never is) as the iint could go away and things like that, but with
>>> some tweaks?
>>
>> I think the problem would be that the code that sets the status to
>> INTEGRITY_PASS is not executed, because the file gets security.ima after
>> the first write.
> 
> We have a patchset coming shortly that starts tracking the inode
> changes as we go, so first time we fix it is when the file is created
> before it has any content (!);
> 
> diff --git a/security/integrity/ima/ima_appraise.c
> b/security/integrity/ima/ima_appraise.c
> index 5fb7127bbe68..da4f0afe0348 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -236,8 +236,10 @@ int ima_appraise_measurement(enum ima_hooks func,
>                          iint->flags |= IMA_NEW_FILE;
>                  if ((iint->flags & IMA_NEW_FILE) &&
>                      (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
> -                    (inode->i_size == 0)))
> +                    (inode->i_size == 0))) {
> +                       ima_fix_xattr(dentry, iint);
>                          status = INTEGRITY_PASS;

Some time ago I developed this patch:

http://kernsec.org/pipermail/linux-security-module-archive/2017-November/004569.html

Since the appraisal flags are not cleared, ima_appraise_measurement() is
not executed again and the problem with EVM does not arise.

Roberto

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI



More information about the Linux-security-module-archive mailing list