From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:43856 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755796AbeEaRmj (ORCPT ); Thu, 31 May 2018 13:42:39 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4VHdm3r049534 for ; Thu, 31 May 2018 13:42:38 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 2jak6xxnyf-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 31 May 2018 13:42:38 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 31 May 2018 18:42:36 +0100 Date: Thu, 31 May 2018 20:42:31 +0300 From: Mike Rapoport To: stable@vger.kernel.org Cc: James Bottomley Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log modes" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Message-Id: <20180531174231.GA9708@rapoport-lnx> Sender: stable-owner@vger.kernel.org List-ID: Hi, On a system that has IMA appraisal enabled it is impossible to create security.ima extended attribute files that contain IMA hash. For instance, consider the following use case: 1) extract application files to a staging area as non root user 2) verify that installation is correct 3) create IMA extended attributes for the installed files 4) move the files to their destination 5) change the files ownership to root With the longterm kernels 4.4.x and 4.9.x step 3 will fail. The issues is fixed in upstream kernels by the commit f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b ("Revert "ima: limit file hash setting by user to fix and log modes"), with the patch also quoted below. -- Sincerely yours, Mike. >>From f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 2 Nov 2016 09:14:16 -0400 Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log modes" Userspace applications have been modified to write security xattrs, but they are not context aware. In the case of security.ima, the security xattr can be either a file hash or a file signature. Permitting writing one, but not the other requires the application to be context aware. In addition, userspace applications might write files to a staging area, which might not be in policy, and then change some file metadata (eg. owner) making it in policy. As a result, these files are not labeled properly. This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533, which prevents writing file hashes as security.ima xattrs. Requested-by: Patrick Ohly Cc: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_appraise.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 389325ac6067..a705598ced5f 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -384,14 +384,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, result = ima_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); if (result == 1) { - bool digsig; - if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) return -EINVAL; - digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); - if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) - return -EPERM; - ima_reset_appraise_flags(d_backing_inode(dentry), digsig); + ima_reset_appraise_flags(d_backing_inode(dentry), + (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); result = 0; } return result; -- 2.7.4