From b059cf0ee119d38d1dedd7c72e02b3f254f06e1c Mon Sep 17 00:00:00 2001 From: Anakin Zhang Date: Tue, 24 Aug 2021 15:18:24 +0800 Subject: [PATCH 1/6] fix digestlist.conf warning Signed-off-by: Anakin Zhang --- initrd/dracut/digestlist.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/dracut/digestlist.conf b/initrd/dracut/digestlist.conf index 1c9ddff..f58c08d 100644 --- a/initrd/dracut/digestlist.conf +++ b/initrd/dracut/digestlist.conf @@ -1,3 +1,3 @@ do_strip=no -add_dracutmodules+=" digestlist" +add_dracutmodules+=" digestlist " file_metadata_opt="-e xattr" -- Gitee From 044af13bea212735e53f15faa395aac17803bf64 Mon Sep 17 00:00:00 2001 From: Zhang Tianxing Date: Sat, 8 May 2021 10:09:35 +0800 Subject: [PATCH 2/6] fix duplicated kernel parameters In script setup_grub2, when set "measurement+appraisal", there are some duplicated common kernel parameters. This patch fixes the issue by using a common variable. Conflict:NA Reference: Signed-off-by: Zhang Tianxing --- scripts/setup_grub2 | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/scripts/setup_grub2 b/scripts/setup_grub2 index e785ef2..2ed628b 100755 --- a/scripts/setup_grub2 +++ b/scripts/setup_grub2 @@ -31,20 +31,19 @@ fi . /etc/os-release -opts_measurement='ima_template=ima-sig ima_policy=\\\"exec_tcb\\\" initramtmpfs - ima_hash=sha256 ima_digest_list_pcr=11' -opts_appraisal='ima_template=ima-sig - ima_policy=\\\"appraise_exec_tcb|appraise_exec_immutable\\\" initramtmpfs - ima_hash=sha256 ima_appraise=enforce-evm evm=x509 evm=complete - ima_appraise_digest_list=digest' +opts_common='ima_template=ima-sig initramtmpfs ima_hash=sha256 integrity=1' +opts_measurement='ima_policy=\\\"exec_tcb\\\" ima_digest_list_pcr=11' +opts_appraisal='ima_policy=\\\"appraise_exec_tcb|appraise_exec_immutable\\\" + ima_appraise=enforce-evm ima_appraise_digest_list=digest evm=x509 + evm=complete' opts="" if [ "$1" = "measurement" ]; then - opts="$opts_measurement" + opts="$opts_common $opts_measurement" elif [ "$1" = "appraisal" ]; then - opts="$opts_appraisal" + opts="$opts_common $opts_appraisal" elif [ "$1" = "measurement+appraisal" ]; then - opts="$opts_measurement $opts_appraisal" + opts="$opts_common $opts_measurement $opts_appraisal" else echo "Unknown feature $1" exit 1 -- Gitee From 3fe6ef9de20be91f0297434324af84354b933700 Mon Sep 17 00:00:00 2001 From: luhuaxin Date: Thu, 28 Jul 2022 00:32:12 +0800 Subject: [PATCH 3/6] fix sm3 algorithm name Signed-off-by: luhuaxin --- lib/kernel_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/kernel_lib.c b/lib/kernel_lib.c index 2f0caff..d6733f2 100644 --- a/lib/kernel_lib.c +++ b/lib/kernel_lib.c @@ -38,7 +38,7 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = { [HASH_ALGO_TGR_128] = "tgr128", [HASH_ALGO_TGR_160] = "tgr160", [HASH_ALGO_TGR_192] = "tgr192", - [HASH_ALGO_SM3_256] = "sm3-256", + [HASH_ALGO_SM3_256] = "sm3", }; const int hash_digest_size[HASH_ALGO__LAST] = { -- Gitee From 9367a2ab1e04fd7e2942c03a3e8f0421e4296173 Mon Sep 17 00:00:00 2001 From: shenxiangwei Date: Tue, 2 Aug 2022 21:11:44 +0800 Subject: [PATCH 4/6] fix faulty code Signed-off-by: shenxiangwei --- lib/crypto.c | 4 ++-- lib/xattr.c | 3 +++ parsers/rpm.c | 4 ++-- src/rpm_parser.c | 4 ++-- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/crypto.c b/lib/crypto.c index d81992e..5397feb 100644 --- a/lib/crypto.c +++ b/lib/crypto.c @@ -314,7 +314,7 @@ static int sign_file(int dirfd, char *filename, char *key_path, char *keypass, memcpy(buf + asn1->size, digest, digest_len); sig_len = RSA_private_encrypt(digest_len + asn1->size, buf, sig, k->key, - RSA_PKCS1_PADDING); + RSA_PKCS1_OAEP_PADDING); if (sig_len < 0) { printf("RSA_private_encrypt() failed: %d\n", sig_len); goto out_buf; @@ -403,7 +403,7 @@ static int verify_common(struct list_head *head, int dirfd, char *filename, goto out; } - ret = RSA_public_decrypt(sig_len, sig, out, k->key, RSA_PKCS1_PADDING); + ret = RSA_public_decrypt(sig_len, sig, out, k->key, RSA_PKCS1_OAEP_PADDING); if (ret < 0) { printf("RSA_public_decrypt() failed: %d\n", ret); goto out; diff --git a/lib/xattr.c b/lib/xattr.c index 2aa9c96..3bfb35c 100644 --- a/lib/xattr.c +++ b/lib/xattr.c @@ -132,6 +132,9 @@ int read_ima_xattr(int dirfd, char *path, u8 **buf, size_t *buf_len, return -ENODATA; *buf_len = ret; + if (*buf_len > 65536) + return -ENOMEM; + *buf = malloc(*buf_len); if (!*buf) return -ENOMEM; diff --git a/parsers/rpm.c b/parsers/rpm.c index e344e30..fc6122e 100644 --- a/parsers/rpm.c +++ b/parsers/rpm.c @@ -135,8 +135,8 @@ int parser(int fd, struct list_head *head, loff_t buf_size, void *buf, for (i = 0; i < digests_count && digests < bufendp; i++) { u16 modifiers = 0; - int digest_str_len = strlen(digests); - int basename_str_len = strlen(basenames); + size_t digest_str_len = strlen(digests); + size_t basename_str_len = strlen(basenames); int filecaps_str_len = filecaps ? strlen(filecaps) : 0; char *obj_label; u16 mode = 0; diff --git a/src/rpm_parser.c b/src/rpm_parser.c index 86a8eb1..79aaf2d 100644 --- a/src/rpm_parser.c +++ b/src/rpm_parser.c @@ -164,8 +164,8 @@ static int parse_rpm(int fd_ima, int add, char *path, struct stat *st) algo = pgp_algo_mapping[be32_to_cpu(*(u32 *)algo_buf)]; for (i = 0; i < digests_count && digests < bufendp; i++) { - int digest_str_len = strlen(digests); - int basename_str_len = strlen(basenames); + size_t digest_str_len = strlen(digests); + size_t basename_str_len = strlen(basenames); u32 dirindex = 0; if ((basenames && -- Gitee From a82140118896c2e5e61305bb1b8048d1ee303eb9 Mon Sep 17 00:00:00 2001 From: shenxiangwei Date: Tue, 16 Aug 2022 08:34:37 +0800 Subject: [PATCH 5/6] fix file resource leakage and memory leakage Signed-off-by: shenxiangwei --- generators/unknown.c | 3 ++- lib/xattr.c | 14 ++++++++++++++ parsers/rpm.c | 2 +- src/manage_digest_lists.c | 4 ++-- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/generators/unknown.c b/generators/unknown.c index 2247993..45e9ab0 100644 --- a/generators/unknown.c +++ b/generators/unknown.c @@ -164,6 +164,7 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, if (!ret) { caps_bin = malloc(caps_bin_len); if (!caps_bin) { + cap_free(c); ret = -ENOMEM; goto out; } @@ -217,7 +218,7 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, if (!ret) ret = write_check(fd, "\n", 1); - return ret; + goto out; } if (!tlv) { diff --git a/lib/xattr.c b/lib/xattr.c index 3bfb35c..166aa2e 100644 --- a/lib/xattr.c +++ b/lib/xattr.c @@ -129,19 +129,33 @@ int read_ima_xattr(int dirfd, char *path, u8 **buf, size_t *buf_len, ret = fgetxattr(fd, XATTR_NAME_IMA, NULL, 0); if (ret < 0) + { + close(fd); return -ENODATA; + } *buf_len = ret; if (*buf_len > 65536) + { + close(fd); return -ENOMEM; + } *buf = malloc(*buf_len); if (!*buf) + { + close(fd); return -ENOMEM; + } ret = fgetxattr(fd, XATTR_NAME_IMA, *buf, ret); if (ret < 0) + { + free(*buf); + *buf = NULL; + close(fd); return -ENODATA; + } ret = parse_ima_xattr(*buf, *buf_len, keyid, keyid_len, sig, sig_len, algo); diff --git a/parsers/rpm.c b/parsers/rpm.c index fc6122e..0f165b6 100644 --- a/parsers/rpm.c +++ b/parsers/rpm.c @@ -272,7 +272,7 @@ int parser(int fd, struct list_head *head, loff_t buf_size, void *buf, } if (ret < 0) - return ret; + goto out; } out: free(dirnames_ptr); diff --git a/src/manage_digest_lists.c b/src/manage_digest_lists.c index 1dc3a43..0eb4233 100644 --- a/src/manage_digest_lists.c +++ b/src/manage_digest_lists.c @@ -206,11 +206,11 @@ int main(int argc, char *argv[]) if (op == PARSER_OP_GEN_IMA_LIST) { ret = ima_copy_boot_aggregate(fd); if (ret < 0) - return ret; + goto out_close_fd; ret = ima_generate_entry(-1, fd, "", IMA_KEY_PATH); if (ret < 0) - return ret; + goto out_close_fd; } for (i = 0; i < COMPACT__LAST; i++) { -- Gitee From db029352227106899a4ec326f2dc78a6e55a65e7 Mon Sep 17 00:00:00 2001 From: gaoyusong Date: Tue, 20 Dec 2022 16:43:38 +0800 Subject: [PATCH 6/6] fix error exit in dracut program --- initrd/dracut/load_digest_lists.sh | 45 ++++++++++++++---------------- 1 file changed, 21 insertions(+), 24 deletions(-) diff --git a/initrd/dracut/load_digest_lists.sh b/initrd/dracut/load_digest_lists.sh index 9d6e5d1..8cb3e84 100644 --- a/initrd/dracut/load_digest_lists.sh +++ b/initrd/dracut/load_digest_lists.sh @@ -1,29 +1,26 @@ #! /bin/bash -if [ ! -f /sys/kernel/security/ima/digest_list_data ]; then - exit 0 -fi +if [ -f /sys/kernel/security/ima/digest_list_data ]; then + digests_count=$(cat /sys/kernel/security/ima/digests_count) + if [ "$digests_count" != "0" ]; then + for f in $(find $NEWROOT/etc/ima/digest_lists -type f); do + if [ ! -f /etc/ima/digest_lists/$(basename $f) ]; then + process_digest_list=$(getfattr -m - -e hex -d $f \ + 2> /dev/null | awk '{ if ($1 ~ /security.evm/) evm=1; + if ($1 ~ /security.ima=0x03/) ima=1; } + END{ if (evm || ima) print "1" }') + if [ -z "$process_digest_list" ]; then + continue + fi -digests_count=$(cat /sys/kernel/security/ima/digests_count) -if [ "$digests_count" = "0" ]; then - exit 0 + format=$(echo $f | cut -d - -f 3) + if [ "$format" = "compact" ]; then + echo $f > /sys/kernel/security/ima/digest_list_data + else + upload_digest_lists add $f + fi + fi + done + fi fi -for f in $(find $NEWROOT/etc/ima/digest_lists -type f); do - if [ ! -f /etc/ima/digest_lists/$(basename $f) ]; then - process_digest_list=$(getfattr -m - -e hex -d $f \ - 2> /dev/null | awk '{ if ($1 ~ /security.evm/) evm=1; - if ($1 ~ /security.ima=0x03/) ima=1; } - END{ if (evm || ima) print "1" }') - if [ -z "$process_digest_list" ]; then - continue - fi - - format=$(echo $f | cut -d - -f 3) - if [ "$format" = "compact" ]; then - echo $f > /sys/kernel/security/ima/digest_list_data - else - upload_digest_lists add $f - fi - fi -done -- Gitee