security/integrity/ima/ima_appraise.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
Currently when both IMA and EVM are in fix mode, the IMA signature will
be reset to IMA hash if a program first stores IMA signature in
security.ima and then sets security.selinux for a file. For example, on
Fedora, after booting the kernel with "ima_appraise=fix evm=fix
ima_policy=appraise_tcb" and installing rpm-plugin-ima, reinstalling a
package will not make good reference IMA signature generated. Instead
IMA hash is generated,
# getfattr -m - -d -e hex /usr/bin/bash
# file: usr/bin/bash
security.ima=0x0404...
This happens because when setting selinux.selinux, the IMA_DIGSIG flag
that had been set early was cleared. As a result, IMA hash is generated
when the file is closed.
Here's a minimal C reproducer,
#include <stdio.h>
#include <sys/xattr.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
int main() {
const char* file_path = "/usr/sbin/test_binary";
const char* hex_string = "030204d33204490066306402304";
int length = strlen(hex_string);
char* ima_attr_value;
int fd;
fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
perror("Error opening file");
return 1;
}
ima_attr_value = (char*)malloc(length / 2 );
for (int i = 0, j = 0; i < length; i += 2, j++) {
sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
}
if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
const char* selinux_value= "system_u:object_r:bin_t:s0";
if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
close(fd);
return 0;
}
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
security/integrity/ima/ima_appraise.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f435eff4667f..fc82161f8b30 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -708,7 +708,7 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
if (digsig)
set_bit(IMA_DIGSIG, &iint->atomic_flags);
- else
+ else if (digsig != -1)
clear_bit(IMA_DIGSIG, &iint->atomic_flags);
}
@@ -794,6 +794,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
+ } else if (result != 1) {
+ digsig = -1;
}
if (result == 1 || evm_revalidate_status(xattr_name)) {
ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
--
2.51.0On Tue, 2025-09-02 at 12:25 +0800, Coiby Xu wrote:
> Currently when both IMA and EVM are in fix mode, the IMA signature will
> be reset to IMA hash if a program first stores IMA signature in
> security.ima and then sets security.selinux for a file. For example, on
> Fedora, after booting the kernel with "ima_appraise=fix evm=fix
> ima_policy=appraise_tcb" and installing rpm-plugin-ima, reinstalling a
> package will not make good reference IMA signature generated. Instead
> IMA hash is generated,
> # getfattr -m - -d -e hex /usr/bin/bash
> # file: usr/bin/bash
> security.ima=0x0404...
>
> This happens because when setting selinux.selinux, the IMA_DIGSIG flag
> that had been set early was cleared. As a result, IMA hash is generated
> when the file is closed.
>
> Here's a minimal C reproducer,
>
> #include <stdio.h>
> #include <sys/xattr.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <string.h>
> #include <stdlib.h>
>
> int main() {
> const char* file_path = "/usr/sbin/test_binary";
> const char* hex_string = "030204d33204490066306402304";
> int length = strlen(hex_string);
> char* ima_attr_value;
> int fd;
>
> fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
> if (fd == -1) {
> perror("Error opening file");
> return 1;
> }
>
> ima_attr_value = (char*)malloc(length / 2 );
> for (int i = 0, j = 0; i < length; i += 2, j++) {
> sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
> }
>
> if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
> perror("Error setting extended attribute");
> close(fd);
> return 1;
> }
>
> const char* selinux_value= "system_u:object_r:bin_t:s0";
> if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
> perror("Error setting extended attribute");
> close(fd);
> return 1;
> }
>
> close(fd);
>
> return 0;
> }
>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
Thanks, Coiby. Agreed, the ability to clear the IMA_DIGSIG flag should be
limited to security.ima xattr and probably security.evm xattr. Writing other
security xattrs should not affect the IMA_DIGSIG flag.
Even without an IMA appraise policy, the security xattrs are written out to the
filesystem, but the IMA_DIGSIG flag is not cached.
Please document the tristate values:
0: clear IMA_DIGSIG
1: set IMA_DIGSIG
-1: don't change IMA_DIGSIG
> ---
> security/integrity/ima/ima_appraise.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index f435eff4667f..fc82161f8b30 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -708,7 +708,7 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
> set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
> if (digsig)
> set_bit(IMA_DIGSIG, &iint->atomic_flags);
This matches both -1 and 1. Test "digsig == 1" here.
> - else
> + else if (digsig != -1)
and test "digsig == 0" here.
> clear_bit(IMA_DIGSIG, &iint->atomic_flags);
> }
>
> @@ -794,6 +794,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
> digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
> } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
> digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
> + } else if (result != 1) {
The "if (result != 1)" test is redundant.
thanks,
Mimi
> + digsig = -1;
> }
> if (result == 1 || evm_revalidate_status(xattr_name)) {
> ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
On Thu, Sep 04, 2025 at 10:41:42PM -0400, Mimi Zohar wrote:
>On Tue, 2025-09-02 at 12:25 +0800, Coiby Xu wrote:
>> Currently when both IMA and EVM are in fix mode, the IMA signature will
>> be reset to IMA hash if a program first stores IMA signature in
>> security.ima and then sets security.selinux for a file. For example, on
>> Fedora, after booting the kernel with "ima_appraise=fix evm=fix
>> ima_policy=appraise_tcb" and installing rpm-plugin-ima, reinstalling a
>> package will not make good reference IMA signature generated. Instead
>> IMA hash is generated,
>> # getfattr -m - -d -e hex /usr/bin/bash
>> # file: usr/bin/bash
>> security.ima=0x0404...
>>
>> This happens because when setting selinux.selinux, the IMA_DIGSIG flag
>> that had been set early was cleared. As a result, IMA hash is generated
>> when the file is closed.
>>
>> Here's a minimal C reproducer,
>>
>> #include <stdio.h>
>> #include <sys/xattr.h>
>> #include <fcntl.h>
>> #include <unistd.h>
>> #include <string.h>
>> #include <stdlib.h>
>>
>> int main() {
>> const char* file_path = "/usr/sbin/test_binary";
>> const char* hex_string = "030204d33204490066306402304";
>> int length = strlen(hex_string);
>> char* ima_attr_value;
>> int fd;
>>
>> fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
>> if (fd == -1) {
>> perror("Error opening file");
>> return 1;
>> }
>>
>> ima_attr_value = (char*)malloc(length / 2 );
>> for (int i = 0, j = 0; i < length; i += 2, j++) {
>> sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
>> }
>>
>> if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
>> perror("Error setting extended attribute");
>> close(fd);
>> return 1;
>> }
>>
>> const char* selinux_value= "system_u:object_r:bin_t:s0";
>> if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
>> perror("Error setting extended attribute");
>> close(fd);
>> return 1;
>> }
>>
>> close(fd);
>>
>> return 0;
>> }
>>
>> Signed-off-by: Coiby Xu <coxu@redhat.com>
>
>Thanks, Coiby. Agreed, the ability to clear the IMA_DIGSIG flag should be
>limited to security.ima xattr and probably security.evm xattr. Writing other
>security xattrs should not affect the IMA_DIGSIG flag.
Thanks for confirming it!
>
>Even without an IMA appraise policy, the security xattrs are written out to the
>filesystem, but the IMA_DIGSIG flag is not cached.
It seems I miss some context for the above sentence. If no IMA policy is
configured, no ima_iint_cache will be created. If you mean non-appraisal
policy, will not caching IMA_DIGSIG flag cause any problem?
>
>Please document the tristate values:
>0: clear IMA_DIGSIG
>1: set IMA_DIGSIG
>-1: don't change IMA_DIGSIG
Addressed in v2. Thanks for the suggestion!
>
>> ---
>> security/integrity/ima/ima_appraise.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
>> index f435eff4667f..fc82161f8b30 100644
>> --- a/security/integrity/ima/ima_appraise.c
>> +++ b/security/integrity/ima/ima_appraise.c
>> @@ -708,7 +708,7 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
>> set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
>> if (digsig)
>> set_bit(IMA_DIGSIG, &iint->atomic_flags);
>
>This matches both -1 and 1. Test "digsig == 1" here.
>
>> - else
>> + else if (digsig != -1)
>
>and test "digsig == 0" here.
>
>> clear_bit(IMA_DIGSIG, &iint->atomic_flags);
>> }
>>
>> @@ -794,6 +794,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
>> digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
>> } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
>> digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
>> + } else if (result != 1) {
>
>The "if (result != 1)" test is redundant.
I've fixed them in v2. Thanks for reviewing the patch and correcting my
careless mistakes! I'll check if my mind is in a clear thinking state
next time.
>
>thanks,
>
>Mimi
>
>> + digsig = -1;
>> }
>> if (result == 1 || evm_revalidate_status(xattr_name)) {
>> ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
>
--
Best regards,
Coiby
Hi Coiby, On Mon, 2025-09-08 at 19:12 +0800, Coiby Xu wrote: > > > > Even without an IMA appraise policy, the security xattrs are written out to the > > filesystem, but the IMA_DIGSIG flag is not cached. > > It seems I miss some context for the above sentence. If no IMA policy is > configured, no ima_iint_cache will be created. If you mean non-appraisal > policy, will not caching IMA_DIGSIG flag cause any problem? Sorry. What I was trying to say is that your test program illustrates the problem both with or without any of the boot command line options as you suggested - "ima_appraise=fix evm=fix ima_policy=appraise_tcb". Writing some other security xattr is a generic problem, whether the file is in policy or not, whether IMA or EVM are in fix mode or not. The rpm-plugin-ima should install the IMA signature regardless. SELinux doesn't usually re-write the security.selinux xattr, so the problem is hard to reproduce after installing the rpm-plugin-ima with "dnf reinstall <package>". thanks, Mimi
On Mon, 2025-09-08 at 10:53 -0400, Mimi Zohar wrote: > Hi Coiby, > > On Mon, 2025-09-08 at 19:12 +0800, Coiby Xu wrote: > > > > > > Even without an IMA appraise policy, the security xattrs are written out to the > > > filesystem, but the IMA_DIGSIG flag is not cached. > > > > It seems I miss some context for the above sentence. If no IMA policy is > > configured, no ima_iint_cache will be created. If you mean non-appraisal > > policy, will not caching IMA_DIGSIG flag cause any problem? > > Sorry. What I was trying to say is that your test program illustrates the > problem both with or without any of the boot command line options as you > suggested - "ima_appraise=fix evm=fix ima_policy=appraise_tcb". Writing some > other security xattr is a generic problem, whether the file is in policy or not, > whether IMA or EVM are in fix mode or not. The rpm-plugin-ima should install > the IMA signature regardless. My mistake. An appraise policy indeed needs to be defined for the file signature to be replaced with a file hash. > > SELinux doesn't usually re-write the security.selinux xattr, so the problem is > hard to reproduce after installing the rpm-plugin-ima with "dnf reinstall > <package>". > > thanks, > > Mimi >
On Mon, Sep 08, 2025 at 04:58:05PM -0400, Mimi Zohar wrote:
>On Mon, 2025-09-08 at 10:53 -0400, Mimi Zohar wrote:
>> Hi Coiby,
>>
>> On Mon, 2025-09-08 at 19:12 +0800, Coiby Xu wrote:
>> > >
>> > > Even without an IMA appraise policy, the security xattrs are written out to the
>> > > filesystem, but the IMA_DIGSIG flag is not cached.
>> >
>> > It seems I miss some context for the above sentence. If no IMA policy is
>> > configured, no ima_iint_cache will be created. If you mean non-appraisal
>> > policy, will not caching IMA_DIGSIG flag cause any problem?
>>
>> Sorry. What I was trying to say is that your test program illustrates the
>> problem both with or without any of the boot command line options as you
>> suggested - "ima_appraise=fix evm=fix ima_policy=appraise_tcb". Writing some
>> other security xattr is a generic problem, whether the file is in policy or not,
>> whether IMA or EVM are in fix mode or not. The rpm-plugin-ima should install
>> the IMA signature regardless.
>
>My mistake. An appraise policy indeed needs to be defined for the file
>signature to be replaced with a file hash.
Thanks for the clarification! rpm-plugin-ima does try to install IMA
signature as shown from the following strace output,
# strace rpm --reinstall ip*.rpm
openat(11, "lnstat;68aee3f4", O_WRONLY|O_CREAT|O_EXCL, 0200) = 12
dup(12) = 13
write(13, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0'\0\0\0\0\0\0"..., 19256) = 19256
close(13) = 0
getuid() = 0
fchown(12, 0, 0) = 0
fchmod(12, 0755) = 0
getuid() = 0
utimensat(12, NULL, [{tv_sec=1734480000, tv_nsec=0} /* 2024-12-17T19:00:00-0500 */, {tv_sec=1734480000, tv_nsec=0} /* 2024-12-17T19:00:00-0500 */], 0) = 0
fsetxattr(12, "security.ima", "\3\2\4\3232\4I\0f0d\0020O\231\341q\323Q\322\235\341\7\323\224\205\2104\24\241\331#"..., 111, 0) = 0
fsetxattr(12, "security.selinux", "system_u:object_r:bin_t:s0", 27, 0) = 0
close(12) = 0
But after rpm-plugin-selinux sets security.selinux, the IMA
signature get cleared and is replaced with IMA hash.
>
>>
>> SELinux doesn't usually re-write the security.selinux xattr, so the problem is
>> hard to reproduce after installing the rpm-plugin-ima with "dnf reinstall
>> <package>".
Since rpm-plugin-selinux will write security.selinux for a newly
installed file, so this issue can be easily reproduced. If you want to
reproduce this issue by yourself, here are the steps to reproduce this
issue on Fedora,
1. Turn off secure boot and boot the kernel with
"ima_appraise=fix evm=fix ima_policy=appraise_tcb"
2. dnf install rpm-plugin-ima -y
3. dnf reinstall iproute -y
4. Run "getfattr -m - -d -e hex /usr/sbin/ip" to check if /usr/sbin/ip has IMA signature set
And my attached C reproducer is to extract the essence of what
rpm-plugin-ima does so it can be a minimal reproducer and also to
illustrate what the problem is.
>>
>> thanks,
>>
>> Mimi
>>
>
--
Best regards,
Coiby
On Wed, 2025-09-10 at 09:36 +0800, Coiby Xu wrote: > On Mon, Sep 08, 2025 at 04:58:05PM -0400, Mimi Zohar wrote: > > On Mon, 2025-09-08 at 10:53 -0400, Mimi Zohar wrote: > > > Hi Coiby, > > > > > > On Mon, 2025-09-08 at 19:12 +0800, Coiby Xu wrote: > > > > > > > > > > Even without an IMA appraise policy, the security xattrs are written out to the > > > > > filesystem, but the IMA_DIGSIG flag is not cached. > > > > > > > > It seems I miss some context for the above sentence. If no IMA policy is > > > > configured, no ima_iint_cache will be created. If you mean non-appraisal > > > > policy, will not caching IMA_DIGSIG flag cause any problem? > > > > > > Sorry. What I was trying to say is that your test program illustrates the > > > problem both with or without any of the boot command line options as you > > > suggested - "ima_appraise=fix evm=fix ima_policy=appraise_tcb". Writing some > > > other security xattr is a generic problem, whether the file is in policy or not, > > > whether IMA or EVM are in fix mode or not. The rpm-plugin-ima should install > > > the IMA signature regardless. > > > > My mistake. An appraise policy indeed needs to be defined for the file > > signature to be replaced with a file hash. > > Thanks for the clarification! rpm-plugin-ima does try to install IMA > signature as shown from the following strace output, Agreed. I was referring to the SELinux label, which would be installed for new files, but not necessarily re-installed on existing files. The test program simplified testing. Thank you. Mimi
On Wed, Sep 10, 2025 at 08:21:33AM -0400, Mimi Zohar wrote:
>On Wed, 2025-09-10 at 09:36 +0800, Coiby Xu wrote:
>> On Mon, Sep 08, 2025 at 04:58:05PM -0400, Mimi Zohar wrote:
>> > On Mon, 2025-09-08 at 10:53 -0400, Mimi Zohar wrote:
>> > > Hi Coiby,
>> > >
>> > > On Mon, 2025-09-08 at 19:12 +0800, Coiby Xu wrote:
>> > > > >
>> > > > > Even without an IMA appraise policy, the security xattrs are written out to the
>> > > > > filesystem, but the IMA_DIGSIG flag is not cached.
>> > > >
>> > > > It seems I miss some context for the above sentence. If no IMA policy is
>> > > > configured, no ima_iint_cache will be created. If you mean non-appraisal
>> > > > policy, will not caching IMA_DIGSIG flag cause any problem?
>> > >
>> > > Sorry. What I was trying to say is that your test program illustrates the
>> > > problem both with or without any of the boot command line options as you
>> > > suggested - "ima_appraise=fix evm=fix ima_policy=appraise_tcb". Writing some
>> > > other security xattr is a generic problem, whether the file is in policy or not,
>> > > whether IMA or EVM are in fix mode or not. The rpm-plugin-ima should install
>> > > the IMA signature regardless.
>> >
>> > My mistake. An appraise policy indeed needs to be defined for the file
>> > signature to be replaced with a file hash.
>>
>> Thanks for the clarification! rpm-plugin-ima does try to install IMA
>> signature as shown from the following strace output,
>
>Agreed. I was referring to the SELinux label, which would be installed for new
>files, but not necessarily re-installed on existing files. The test program
>simplified testing. Thank you.
My pleasure! Note reinstalling a package using dnf/rpm is equivalent to
installing a new package in terms of this issue. Because according to
the strace output and rpm's source code, when reinstalling a package,
the following steps happens, taking lnstat as an example,
1. A temporary file "lnstat;68aee3f4" is created
2. Read the content from RPM and write it to lnstat;68aee3f4
3. Set file permission
4. Set security.ima by rpm-plugin-ima
5. Set security.selinux by rpm-plugin-selinux
6. Rename "lnstat;68aee3f4" to lnstat
And here's the strace output,
# strace rpm --reinstall ip*.rpm
openat(11, "lnstat;68aee3f4", O_WRONLY|O_CREAT|O_EXCL, 0200) = 12
dup(12) = 13
write(13, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0'\0\0\0\0\0\0"..., 19256) = 19256
close(13) = 0
getuid() = 0
fchown(12, 0, 0) = 0
fchmod(12, 0755) = 0
getuid() = 0
utimensat(12, NULL, [{tv_sec=1734480000, tv_nsec=0} /* 2024-12-17T19:00:00-0500 */, {tv_sec=1734480000, tv_nsec=0} /* 2024-12-17T19:00:00-0500 */], 0) = 0
fsetxattr(12, "security.ima", "\3\2\4\3232\4I\0f0d\0020O\231\341q\323Q\322\235\341\7\323\224\205\2104\24\241\331#"..., 111, 0) = 0
fsetxattr(12, "security.selinux", "system_u:object_r:bin_t:s0", 27, 0) = 0
close(12) = 0
...
renameat(11, "lnstat;68aee3f4", 11, "lnstat") = 0
>
>Mimi
>
--
Best regards,
Coiby
On Mon, Sep 15, 2025 at 12:06:14PM +0800, Coiby Xu wrote:
>On Wed, Sep 10, 2025 at 08:21:33AM -0400, Mimi Zohar wrote:
>>On Wed, 2025-09-10 at 09:36 +0800, Coiby Xu wrote:
>>>On Mon, Sep 08, 2025 at 04:58:05PM -0400, Mimi Zohar wrote:
>>>> On Mon, 2025-09-08 at 10:53 -0400, Mimi Zohar wrote:
>>>> > Hi Coiby,
>>>> >
>>>> > On Mon, 2025-09-08 at 19:12 +0800, Coiby Xu wrote:
>>>> > > >
>>>> > > > Even without an IMA appraise policy, the security xattrs are written out to the
>>>> > > > filesystem, but the IMA_DIGSIG flag is not cached.
>>>> > >
>>>> > > It seems I miss some context for the above sentence. If no IMA policy is
>>>> > > configured, no ima_iint_cache will be created. If you mean non-appraisal
>>>> > > policy, will not caching IMA_DIGSIG flag cause any problem?
>>>> >
>>>> > Sorry. What I was trying to say is that your test program illustrates the
>>>> > problem both with or without any of the boot command line options as you
>>>> > suggested - "ima_appraise=fix evm=fix ima_policy=appraise_tcb". Writing some
>>>> > other security xattr is a generic problem, whether the file is in policy or not,
>>>> > whether IMA or EVM are in fix mode or not. The rpm-plugin-ima should install
>>>> > the IMA signature regardless.
>>>>
>>>> My mistake. An appraise policy indeed needs to be defined for the file
>>>> signature to be replaced with a file hash.
>>>
>>>Thanks for the clarification! rpm-plugin-ima does try to install IMA
>>>signature as shown from the following strace output,
>>
>>Agreed. I was referring to the SELinux label, which would be installed for new
>>files, but not necessarily re-installed on existing files. The test program
>>simplified testing. Thank you.
>
>My pleasure! Note reinstalling a package using dnf/rpm is equivalent to
>installing a new package in terms of this issue. Because according to
>the strace output and rpm's source code, when reinstalling a package,
>the following steps happens, taking lnstat as an example,
>
>1. A temporary file "lnstat;68aee3f4" is created
>2. Read the content from RPM and write it to lnstat;68aee3f4
>3. Set file permission
>4. Set security.ima by rpm-plugin-ima
>5. Set security.selinux by rpm-plugin-selinux
>6. Rename "lnstat;68aee3f4" to lnstat
>
>And here's the strace output,
>
> # strace rpm --reinstall ip*.rpm
> openat(11, "lnstat;68aee3f4", O_WRONLY|O_CREAT|O_EXCL, 0200) = 12
> dup(12) = 13
> write(13, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0'\0\0\0\0\0\0"..., 19256) = 19256
> close(13) = 0
> getuid() = 0
> fchown(12, 0, 0) = 0
> fchmod(12, 0755) = 0
> getuid() = 0
> utimensat(12, NULL, [{tv_sec=1734480000, tv_nsec=0} /* 2024-12-17T19:00:00-0500 */, {tv_sec=1734480000, tv_nsec=0} /* 2024-12-17T19:00:00-0500 */], 0) = 0
> fsetxattr(12, "security.ima", "\3\2\4\3232\4I\0f0d\0020O\231\341q\323Q\322\235\341\7\323\224\205\2104\24\241\331#"..., 111, 0) = 0
> fsetxattr(12, "security.selinux", "system_u:object_r:bin_t:s0", 27, 0) = 0
> close(12) = 0
> ...
> renameat(11, "lnstat;68aee3f4", 11, "lnstat") = 0
Btw, I realize my commit message that says the problem happens when reinstalling a
package can be a bit misleading. So in v3, I rephrase it as
"... installing/reinstalling a package will not make good reference IMA generated"
Currently when both IMA and EVM are in fix mode, the IMA signature will
be reset to IMA hash if a program first stores IMA signature in
security.ima and then writes/removes some other security xattr for the
file.
For example, on Fedora, after booting the kernel with "ima_appraise=fix
evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima,
installing/reinstalling a package will not make good reference IMA
signature generated. Instead IMA hash is generated,
# getfattr -m - -d -e hex /usr/bin/bash
# file: usr/bin/bash
security.ima=0x0404...
This happens because when setting security.selinux, the IMA_DIGSIG flag
that had been set early was cleared. As a result, IMA hash is generated
when the file is closed.
Similarly, IMA signature can be cleared on file close after removing
security xattr like security.evm or setting/removing ACL.
Prevent replacing the IMA file signature with a file hash, by preventing
the IMA_DIGSIG flag from being reset.
Here's a minimal C reproducer which sets security.selinux as the last
step which can also replaced by removing security.evm or setting ACL,
#include <stdio.h>
#include <sys/xattr.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
int main() {
const char* file_path = "/usr/sbin/test_binary";
const char* hex_string = "030204d33204490066306402304";
int length = strlen(hex_string);
char* ima_attr_value;
int fd;
fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
perror("Error opening file");
return 1;
}
ima_attr_value = (char*)malloc(length / 2 );
for (int i = 0, j = 0; i < length; i += 2, j++) {
sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
}
if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
const char* selinux_value= "system_u:object_r:bin_t:s0";
if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
close(fd);
return 0;
}
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
security/integrity/ima/ima_appraise.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f435eff4667f..5149ff4fd50d 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -694,6 +694,15 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
return 0;
}
+/*
+ * ima_reset_appraise_flags - reset ima_iint_cache flags
+ *
+ * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values
+ * 0: clear IMA_DIGSIG
+ * 1: set IMA_DIGSIG
+ * -1: don't change IMA_DIGSIG
+ *
+ */
static void ima_reset_appraise_flags(struct inode *inode, int digsig)
{
struct ima_iint_cache *iint;
@@ -706,9 +715,9 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
return;
iint->measured_pcrs = 0;
set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
- if (digsig)
+ if (digsig == 1)
set_bit(IMA_DIGSIG, &iint->atomic_flags);
- else
+ else if (digsig == 0)
clear_bit(IMA_DIGSIG, &iint->atomic_flags);
}
@@ -794,6 +803,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
+ } else {
+ digsig = -1;
}
if (result == 1 || evm_revalidate_status(xattr_name)) {
ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
@@ -807,7 +818,7 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
const char *acl_name, struct posix_acl *kacl)
{
if (evm_revalidate_status(acl_name))
- ima_reset_appraise_flags(d_backing_inode(dentry), 0);
+ ima_reset_appraise_flags(d_backing_inode(dentry), -1);
return 0;
}
@@ -815,11 +826,13 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
const char *xattr_name)
{
- int result;
+ int result, digsig = -1;
result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
if (result == 1 || evm_revalidate_status(xattr_name)) {
- ima_reset_appraise_flags(d_backing_inode(dentry), 0);
+ if (!strcmp(xattr_name, XATTR_NAME_IMA))
+ digsig = 0;
+ ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
if (result == 1)
result = 0;
}
base-commit: 7aac71907bdea16e2754a782b9d9155449a9d49d
--
2.51.0On Mon, 2025-09-15 at 13:55 +0800, Coiby Xu wrote:
> Currently when both IMA and EVM are in fix mode, the IMA signature will
> be reset to IMA hash if a program first stores IMA signature in
> security.ima and then writes/removes some other security xattr for the
> file.
>
> For example, on Fedora, after booting the kernel with "ima_appraise=fix
> evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima,
> installing/reinstalling a package will not make good reference IMA
> signature generated. Instead IMA hash is generated,
>
> # getfattr -m - -d -e hex /usr/bin/bash
> # file: usr/bin/bash
> security.ima=0x0404...
>
> This happens because when setting security.selinux, the IMA_DIGSIG flag
> that had been set early was cleared. As a result, IMA hash is generated
> when the file is closed.
>
> Similarly, IMA signature can be cleared on file close after removing
> security xattr like security.evm or setting/removing ACL.
>
> Prevent replacing the IMA file signature with a file hash, by preventing
> the IMA_DIGSIG flag from being reset.
>
> Here's a minimal C reproducer which sets security.selinux as the last
> step which can also replaced by removing security.evm or setting ACL,
>
> #include <stdio.h>
> #include <sys/xattr.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <string.h>
> #include <stdlib.h>
>
> int main() {
> const char* file_path = "/usr/sbin/test_binary";
> const char* hex_string = "030204d33204490066306402304";
> int length = strlen(hex_string);
> char* ima_attr_value;
> int fd;
>
> fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
> if (fd == -1) {
> perror("Error opening file");
> return 1;
> }
>
> ima_attr_value = (char*)malloc(length / 2 );
> for (int i = 0, j = 0; i < length; i += 2, j++) {
> sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
> }
>
> if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
> perror("Error setting extended attribute");
> close(fd);
> return 1;
> }
>
> const char* selinux_value= "system_u:object_r:bin_t:s0";
> if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
> perror("Error setting extended attribute");
> close(fd);
> return 1;
> }
>
> close(fd);
>
> return 0;
> }
>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
Thanks, Coiby. The patch is now queued in next-integrity.
> ---
> security/integrity/ima/ima_appraise.c | 23 ++++++++++++++++++-----
> 1 file changed, 18 insertions(+), 5 deletions(-)
>
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index f435eff4667f..5149ff4fd50d 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -694,6 +694,15 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
> return 0;
> }
>
> +/*
> + * ima_reset_appraise_flags - reset ima_iint_cache flags
> + *
> + * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values
> + * 0: clear IMA_DIGSIG
> + * 1: set IMA_DIGSIG
> + * -1: don't change IMA_DIGSIG
> + *
> + */
> static void ima_reset_appraise_flags(struct inode *inode, int digsig)
> {
> struct ima_iint_cache *iint;
> @@ -706,9 +715,9 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
> return;
> iint->measured_pcrs = 0;
> set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
> - if (digsig)
> + if (digsig == 1)
> set_bit(IMA_DIGSIG, &iint->atomic_flags);
> - else
> + else if (digsig == 0)
> clear_bit(IMA_DIGSIG, &iint->atomic_flags);
> }
>
> @@ -794,6 +803,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
> digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
> } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
> digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
> + } else {
> + digsig = -1;
> }
> if (result == 1 || evm_revalidate_status(xattr_name)) {
> ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
> @@ -807,7 +818,7 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
> const char *acl_name, struct posix_acl *kacl)
> {
> if (evm_revalidate_status(acl_name))
> - ima_reset_appraise_flags(d_backing_inode(dentry), 0);
> + ima_reset_appraise_flags(d_backing_inode(dentry), -1);
>
> return 0;
> }
> @@ -815,11 +826,13 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
> static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
> const char *xattr_name)
> {
> - int result;
> + int result, digsig = -1;
>
> result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
> if (result == 1 || evm_revalidate_status(xattr_name)) {
> - ima_reset_appraise_flags(d_backing_inode(dentry), 0);
> + if (!strcmp(xattr_name, XATTR_NAME_IMA))
> + digsig = 0;
> + ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
> if (result == 1)
> result = 0;
> }
>
> base-commit: 7aac71907bdea16e2754a782b9d9155449a9d49d
Currently when both IMA and EVM are in fix mode, the IMA signature will
be reset to IMA hash if a program first stores IMA signature in
security.ima and then sets security.selinux for a file. For example, on
Fedora, after booting the kernel with "ima_appraise=fix evm=fix
ima_policy=appraise_tcb" and installing rpm-plugin-ima, reinstalling a
package will not make good reference IMA signature generated. Instead
IMA hash is generated,
# getfattr -m - -d -e hex /usr/bin/bash
# file: usr/bin/bash
security.ima=0x0404...
This happens because when setting selinux.selinux, the IMA_DIGSIG flag
that had been set early was cleared. As a result, IMA hash is generated
when the file is closed.
Here's a minimal C reproducer,
#include <stdio.h>
#include <sys/xattr.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
int main() {
const char* file_path = "/usr/sbin/test_binary";
const char* hex_string = "030204d33204490066306402304";
int length = strlen(hex_string);
char* ima_attr_value;
int fd;
fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
perror("Error opening file");
return 1;
}
ima_attr_value = (char*)malloc(length / 2 );
for (int i = 0, j = 0; i < length; i += 2, j++) {
sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
}
if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
const char* selinux_value= "system_u:object_r:bin_t:s0";
if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
close(fd);
return 0;
}
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
security/integrity/ima/ima_appraise.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f435eff4667f..4e4750ea41ad 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -694,6 +694,15 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
return 0;
}
+/*
+ * ima_reset_appraise_flags - reset ima_iint_cache flags
+ *
+ * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values
+ * 0: clear IMA_DIGSIG
+ * 1: set IMA_DIGSIG
+ * -1: don't change IMA_DIGSIG
+ *
+ */
static void ima_reset_appraise_flags(struct inode *inode, int digsig)
{
struct ima_iint_cache *iint;
@@ -706,9 +715,9 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
return;
iint->measured_pcrs = 0;
set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
- if (digsig)
+ if (digsig == 1)
set_bit(IMA_DIGSIG, &iint->atomic_flags);
- else
+ else if (digsig == 0)
clear_bit(IMA_DIGSIG, &iint->atomic_flags);
}
@@ -794,6 +803,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
+ } else {
+ digsig = -1;
}
if (result == 1 || evm_revalidate_status(xattr_name)) {
ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
--
2.51.0On Mon, 2025-09-08 at 18:58 +0800, Coiby Xu wrote:
> Currently when both IMA and EVM are in fix mode, the IMA signature will
> be reset to IMA hash if a program first stores IMA signature in
> security.ima and then sets security.selinux for a file.
The problem description should be generic.
-> and then writes some other security xattr for the file.
Start a new paragraph here for the example.
> For example, on
> Fedora, after booting the kernel with "ima_appraise=fix evm=fix
> ima_policy=appraise_tcb" and installing rpm-plugin-ima, reinstalling a
> package will not make good reference IMA signature generated. Instead
> IMA hash is generated,
> # getfattr -m - -d -e hex /usr/bin/bash
> # file: usr/bin/bash
> security.ima=0x0404...
>
> This happens because when setting selinux.selinux, the IMA_DIGSIG flag
> that had been set early was cleared. As a result, IMA hash is generated
> when the file is closed.
Start a new paragraph here, adding a sentence describing the solution to the
problem. For example,
Prevent replacing the IMA file signature with a file hash, by preventing the
IMA_DIGSIG flag from being reset.
>
> Here's a minimal C reproducer,
>
> #include <stdio.h>
> #include <sys/xattr.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <string.h>
> #include <stdlib.h>
>
> int main() {
> const char* file_path = "/usr/sbin/test_binary";
> const char* hex_string = "030204d33204490066306402304";
> int length = strlen(hex_string);
> char* ima_attr_value;
> int fd;
>
> fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
> if (fd == -1) {
> perror("Error opening file");
> return 1;
> }
>
> ima_attr_value = (char*)malloc(length / 2 );
> for (int i = 0, j = 0; i < length; i += 2, j++) {
> sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
> }
>
> if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
> perror("Error setting extended attribute");
> close(fd);
> return 1;
> }
>
> const char* selinux_value= "system_u:object_r:bin_t:s0";
> if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
> perror("Error setting extended attribute");
> close(fd);
> return 1;
> }
>
> close(fd);
>
> return 0;
> }
>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
Thanks, Coiby. The updated patch looks good. Have you looked at the other
calls to ima_reset_appraise_flags() to make sure they don't need to be adjusted?
thanks,
Mimi
> ---
> security/integrity/ima/ima_appraise.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index f435eff4667f..4e4750ea41ad 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -694,6 +694,15 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
> return 0;
> }
>
> +/*
> + * ima_reset_appraise_flags - reset ima_iint_cache flags
> + *
> + * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values
> + * 0: clear IMA_DIGSIG
> + * 1: set IMA_DIGSIG
> + * -1: don't change IMA_DIGSIG
> + *
> + */
> static void ima_reset_appraise_flags(struct inode *inode, int digsig)
> {
> struct ima_iint_cache *iint;
> @@ -706,9 +715,9 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
> return;
> iint->measured_pcrs = 0;
> set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
> - if (digsig)
> + if (digsig == 1)
> set_bit(IMA_DIGSIG, &iint->atomic_flags);
> - else
> + else if (digsig == 0)
> clear_bit(IMA_DIGSIG, &iint->atomic_flags);
> }
>
> @@ -794,6 +803,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
> digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
> } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
> digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
> + } else {
> + digsig = -1;
> }
> if (result == 1 || evm_revalidate_status(xattr_name)) {
> ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
On Wed, Sep 10, 2025 at 08:21:03AM -0400, Mimi Zohar wrote:
>On Mon, 2025-09-08 at 18:58 +0800, Coiby Xu wrote:
>> Currently when both IMA and EVM are in fix mode, the IMA signature will
>> be reset to IMA hash if a program first stores IMA signature in
>> security.ima and then sets security.selinux for a file.
>
>The problem description should be generic.
>
>-> and then writes some other security xattr for the file.
Good advice! I've applied it to v3 with a slight change,
"... then writes/removes some other security xattr" in v3,
>
>Start a new paragraph here for the example.
>> For example, on
>> Fedora, after booting the kernel with "ima_appraise=fix evm=fix
>> ima_policy=appraise_tcb" and installing rpm-plugin-ima, reinstalling a
>> package will not make good reference IMA signature generated. Instead
>> IMA hash is generated,
>> # getfattr -m - -d -e hex /usr/bin/bash
>> # file: usr/bin/bash
>> security.ima=0x0404...
>>
>> This happens because when setting selinux.selinux, the IMA_DIGSIG flag
>> that had been set early was cleared. As a result, IMA hash is generated
>> when the file is closed.
>
>Start a new paragraph here, adding a sentence describing the solution to the
>problem. For example,
>
>Prevent replacing the IMA file signature with a file hash, by preventing the
>IMA_DIGSIG flag from being reset.
Thanks for the suggestion, applied to v3.
>
>>
>> Here's a minimal C reproducer,
>>
>> #include <stdio.h>
>> #include <sys/xattr.h>
>> #include <fcntl.h>
>> #include <unistd.h>
>> #include <string.h>
>> #include <stdlib.h>
>>
>> int main() {
>> const char* file_path = "/usr/sbin/test_binary";
>> const char* hex_string = "030204d33204490066306402304";
>> int length = strlen(hex_string);
>> char* ima_attr_value;
>> int fd;
>>
>> fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
>> if (fd == -1) {
>> perror("Error opening file");
>> return 1;
>> }
>>
>> ima_attr_value = (char*)malloc(length / 2 );
>> for (int i = 0, j = 0; i < length; i += 2, j++) {
>> sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
>> }
>>
>> if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
>> perror("Error setting extended attribute");
>> close(fd);
>> return 1;
>> }
>>
>> const char* selinux_value= "system_u:object_r:bin_t:s0";
>> if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
>> perror("Error setting extended attribute");
>> close(fd);
>> return 1;
>> }
>>
>> close(fd);
>>
>> return 0;
>> }
>>
>> Signed-off-by: Coiby Xu <coxu@redhat.com>
>
>Thanks, Coiby. The updated patch looks good. Have you looked at the other
>calls to ima_reset_appraise_flags() to make sure they don't need to be adjusted?
Great question! I've updated the other two places in v3 which can
address two additional cases,
- remove xattr like security.evm
- set/remove ACL
Note I tried to write a C program to set/remove ACL but somehow the C
version of "setfacl -m u:test:r" always lead to "acl_set_fd: Invalid
argument". I bypass this issue by setting system.posix_acl_access xattr
directly. We can get the value by "getfattr -m system.posix_acl_access
-d -e hex" after "setfacl -m u:test:r /usr/sbin/test_binary".
>
>thanks,
>
>Mimi
>
>> ---
>> security/integrity/ima/ima_appraise.c | 15 +++++++++++++--
>> 1 file changed, 13 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
>> index f435eff4667f..4e4750ea41ad 100644
>> --- a/security/integrity/ima/ima_appraise.c
>> +++ b/security/integrity/ima/ima_appraise.c
>> @@ -694,6 +694,15 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
>> return 0;
>> }
>>
>> +/*
>> + * ima_reset_appraise_flags - reset ima_iint_cache flags
>> + *
>> + * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values
>> + * 0: clear IMA_DIGSIG
>> + * 1: set IMA_DIGSIG
>> + * -1: don't change IMA_DIGSIG
>> + *
>> + */
>> static void ima_reset_appraise_flags(struct inode *inode, int digsig)
>> {
>> struct ima_iint_cache *iint;
>> @@ -706,9 +715,9 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
>> return;
>> iint->measured_pcrs = 0;
>> set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
>> - if (digsig)
>> + if (digsig == 1)
>> set_bit(IMA_DIGSIG, &iint->atomic_flags);
>> - else
>> + else if (digsig == 0)
>> clear_bit(IMA_DIGSIG, &iint->atomic_flags);
>> }
>>
>> @@ -794,6 +803,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
>> digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
>> } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
>> digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
>> + } else {
>> + digsig = -1;
>> }
>> if (result == 1 || evm_revalidate_status(xattr_name)) {
>> ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
>
--
Best regards,
Coiby
© 2016 - 2025 Red Hat, Inc.