grsecurity forums

I am playing around EVM kernel feature and find out, that EVM don't protect PAX xattrs. Here is the patch to fix this and add EVM protection to PAX xattrs.

Code: Select all

--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -46,6 +46,10 @@
    XATTR_NAME_SMACKTRANSMUTE,
    XATTR_NAME_SMACKMMAP,
 #endif
+#endif
+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
+   XATTR_NAME_USER_PAX_FLAGS,
+   XATTR_NAME_PAX_FLAGS,
 #endif
 #ifdef CONFIG_IMA_APPRAISE
    XATTR_NAME_IMA,


I forgot to mention, that in this case ima-evm-utils must be patched also with this patch:

Code: Select all

--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -66,9 +66,18 @@
 
 #include "imaevm.h"
 
+/* available in linux/xattr.h gentoo hardened kernel, but not in sys-kernel/linux-headers
+   without grsecurity pathed linux/xattr.h */
+#define XATTR_PAX_PREFIX "pax."
+#define XATTR_PAX_FLAGS_SUFFIX "flags"
+#define XATTR_NAME_USER_PAX_FLAGS XATTR_USER_PREFIX XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
+#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
+
 static char *evm_default_xattrs[] = {
    XATTR_NAME_SELINUX,
    XATTR_NAME_SMACK,
+   XATTR_NAME_USER_PAX_FLAGS,
+   XATTR_NAME_PAX_FLAGS,
    XATTR_NAME_IMA,
    XATTR_NAME_CAPS,
    NULL
@@ -80,6 +89,8 @@
    XATTR_NAME_SMACKEXEC,
    XATTR_NAME_SMACKTRANSMUTE,
    XATTR_NAME_SMACKMMAP,
+   XATTR_NAME_USER_PAX_FLAGS,
+   XATTR_NAME_PAX_FLAGS,
    XATTR_NAME_IMA,
    XATTR_NAME_CAPS,
    NULL


So, IMA/EVM changes should be optional, with warning that ima-evm-utils must be patched as well. Probably, will be impossible push this patch into ima-evm-utils upstream, at least till PAX will not be incuded in kernel upstream...