5 Star 0 Fork 10

src-openEuler / digest-list-tools

 / 详情

All linux capabilities cannot be parsed for digest list in openEuler-22.03

已完成
缺陷 成员
创建于  
2022-03-13 12:27

Issue:
After openEuler-22.03 enables full IMA measurement and appraising, all files with capability are prohibited from executing, even if the digest list is normally generated and signed.

I check the code and find that there are some problems in lib/cap.c:

  1. The internal structure _cap_struct of libcap is redefined in digest-list-tools. And as libcap is upgraded to 2.61, the fields of the structure are changed, resulting in digest-list-tools cannot parse the capabilities normally. When the digest list file is generated, all capability information is lost.

  2. In the definition of _cap_struct, the length of the array member variable u is _LINUX_CAPABILITY_U32S, while the length in libcap is _LIBCAP_CAPABILITY_U32S (not exported). In linux/capability.h, _LINUX_CAPABILITY_U32S is set to the earliest version (_LINUX_CAPABILITY_VERSION_1) to ensure backward compatibility. While in libcap, _LINUX_CAPABILITY_U32S_3 is set to _LINUX_CAPABILITY_U32S_3 in preference, which results in a potential problem.

问题:
openEuler-22.03开启IMA全量度量后,所有具有capability的文件被禁止执行,即使摘要列表正常生成并签名。

定位分析:
在lib/cap.c文件中存在一些问题:

  1. 代码重定义了_cap_struct结构体,而该结构体是libcap的内部定义。在libcap升级到2.61版本后,该结构体的字段发生了变化,导致digest-list-tools无法正常解析capability,在生成摘要列表文件时,文件的capability信息会丢失。

  2. 另外,在重定义了_cap_struct结构体时,数组成员变量u的长度选择的_LINUX_CAPABILITY_U32S,而在libcap中的长度是_LIBCAP_CAPABILITY_U32S(未导出),其实两者并不一致。在linux/capability.h中,为了保证代码的向后兼容,_LINUX_CAPABILITY_U32S定义为最早版本的_LINUX_CAPABILITY_VERSION_1,而在libcap中,_LIBCAP_CAPABILITY_U32S会被优先定义为_LINUX_CAPABILITY_U32S_3。

评论 (2)

卢华歆 创建了缺陷

Hi HuaxinLuGitee, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: sig-security-facility, and any of the maintainers: @mailofzxf , @gwei3 , @wucaijun , @zhujianwei001 , @robertosassu

卢华歆 修改了描述

I fix the definition of _cap_struct to be consistent with libcap-2.61, and also enforce the libcap dependency in the rpm spec to solve this problem. I use the digest-list-tools with this patch to generate digest list for iputils, and compared the evm digest with the result calculated by evmctl, they are consistent:

我修改了_cap_struct的定义,使其与libcap-2.61中的定义保持一致,同时在spec文件中强制定义了libcap依赖关系来解决当前在openEuler 22.03上的问题。我使用修改后的digest-list-tools为iputils生成摘要列表,并和evmctl的计算结果进行对比,evm摘要值是一致的:

输入图片说明

卢华歆 修改了描述
ltx 负责人设置为卢华歆
卢华歆 通过src-openeuler/digest-list-tools Pull Request !33任务状态待办的 修改为已完成
DisNight 添加了
 
sig/sig-security-fac
标签

登录 后才可以发表评论

状态
负责人
项目
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
预计工期 (小时)
参与者(2)
5329419 openeuler ci bot 1632792936
1
https://gitee.com/src-openeuler/digest-list-tools.git
git@gitee.com:src-openeuler/digest-list-tools.git
src-openeuler
digest-list-tools
digest-list-tools

搜索帮助

14c37bed 8189591 565d56ea 8189591