- Code: Select all
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -46,6 +46,10 @@
XATTR_NAME_SMACKTRANSMUTE,
XATTR_NAME_SMACKMMAP,
#endif
+#endif
+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
+ XATTR_NAME_USER_PAX_FLAGS,
+ XATTR_NAME_PAX_FLAGS,
#endif
#ifdef CONFIG_IMA_APPRAISE
XATTR_NAME_IMA,
IMA/EVM support for PAX xattrs (patch included)
2 posts
• Page 1 of 1
IMA/EVM support for PAX xattrs (patch included)
by viewizard » Sat Dec 03, 2016 9:10 pm
I am playing around EVM kernel feature and find out, that EVM don't protect PAX xattrs. Here is the patch to fix this and add EVM protection to PAX xattrs.
- viewizard
- Posts: 2
- Joined: Sat Dec 03, 2016 9:01 pm
Re: IMA/EVM support for PAX xattrs (patch included)
by viewizard » Sat Dec 03, 2016 11:47 pm
I forgot to mention, that in this case ima-evm-utils must be patched also with this patch:
So, IMA/EVM changes should be optional, with warning that ima-evm-utils must be patched as well. Probably, will be impossible push this patch into ima-evm-utils upstream, at least till PAX will not be incuded in kernel upstream...
- Code: Select all
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -66,9 +66,18 @@
#include "imaevm.h"
+/* available in linux/xattr.h gentoo hardened kernel, but not in sys-kernel/linux-headers
+ without grsecurity pathed linux/xattr.h */
+#define XATTR_PAX_PREFIX "pax."
+#define XATTR_PAX_FLAGS_SUFFIX "flags"
+#define XATTR_NAME_USER_PAX_FLAGS XATTR_USER_PREFIX XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
+#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
+
static char *evm_default_xattrs[] = {
XATTR_NAME_SELINUX,
XATTR_NAME_SMACK,
+ XATTR_NAME_USER_PAX_FLAGS,
+ XATTR_NAME_PAX_FLAGS,
XATTR_NAME_IMA,
XATTR_NAME_CAPS,
NULL
@@ -80,6 +89,8 @@
XATTR_NAME_SMACKEXEC,
XATTR_NAME_SMACKTRANSMUTE,
XATTR_NAME_SMACKMMAP,
+ XATTR_NAME_USER_PAX_FLAGS,
+ XATTR_NAME_PAX_FLAGS,
XATTR_NAME_IMA,
XATTR_NAME_CAPS,
NULL
So, IMA/EVM changes should be optional, with warning that ima-evm-utils must be patched as well. Probably, will be impossible push this patch into ima-evm-utils upstream, at least till PAX will not be incuded in kernel upstream...
- viewizard
- Posts: 2
- Joined: Sat Dec 03, 2016 9:01 pm
2 posts
• Page 1 of 1