From: Coiby Xu coxu@redhat.com
[ Upstream commit 88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd ]
Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file.
For example, on Fedora, after booting the kernel with "ima_appraise=fix evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated,
# getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404...
This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed.
Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL.
Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset.
Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL,
#include <stdio.h> #include <sys/xattr.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <stdlib.h>
int main() { const char* file_path = "/usr/sbin/test_binary"; const char* hex_string = "030204d33204490066306402304"; int length = strlen(hex_string); char* ima_attr_value; int fd;
fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror("Error opening file"); return 1; }
ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]); }
if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; }
const char* selinux_value= "system_u:object_r:bin_t:s0"; if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; }
close(fd);
return 0; }
Signed-off-by: Coiby Xu coxu@redhat.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
YES – this is a focused bug fix that should go to stable.
- The core issue is that `ima_reset_appraise_flags()` used to treat the `digsig` argument as boolean, so any non-IMA xattr update passed the default `0` and cleared `IMA_DIGSIG`, triggering `ima_update_xattr()` to overwrite an existing signature with a hash in fix mode (see `security/integrity/ima/ima_appraise.c:628-646`). The reported Fedora reproducer shows this breaks IMA/EVM deployments running `ima_appraise=fix`. - The patch makes `digsig` tri-state: `ima_reset_appraise_flags()` now only toggles the bit when given `0`/`1`, leaving it untouched for `-1` (`security/integrity/ima/ima_appraise.c:706-721`). All non-IMA paths (generic xattrs, ACL set/remove, non-IMA removals) now pass `-1`, so they still force re-appraisal via `IMA_CHANGE_XATTR` but stop clobbering the signature (`security/integrity/ima/ima_appraise.c:788-835`). - Actual signature operations keep their old behavior: setting `security.ima` still sets `IMA_DIGSIG`, and removing it still clears the flag (`security/integrity/ima/ima_appraise.c:793-835`), so there’s no functional change for legitimate signature updates or removals. - I checked older releases (e.g. `v6.1`) and they still have the pre- patch boolean handling, so the regression affects long-term stable trees. No new APIs or dependencies are introduced; the change is confined to one file and keeps existing call sites in sync. - Risk is low: the patch just stops clearing the digital-signature bit for unrelated xattr/ACL changes, which is precisely what breakage reports show is required. It preserves hash-update behavior for unsigned files and keeps the IMA/EVM synchronization logic intact.
Given the user-visible security impact (signed packages ending up with only hashes) and the minimal, targeted fix, this commit is a strong stable backport candidate. Suggested follow-up: validate on a stable branch with `ima_appraise=fix evm=fix` to ensure reference signatures persist across SELinux xattr/ACL churn.
security/integrity/ima/ima_appraise.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index f435eff4667f8..5149ff4fd50d2 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -694,6 +694,15 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, return 0; }
+/* + * ima_reset_appraise_flags - reset ima_iint_cache flags + * + * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values + * 0: clear IMA_DIGSIG + * 1: set IMA_DIGSIG + * -1: don't change IMA_DIGSIG + * + */ static void ima_reset_appraise_flags(struct inode *inode, int digsig) { struct ima_iint_cache *iint; @@ -706,9 +715,9 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig) return; iint->measured_pcrs = 0; set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags); - if (digsig) + if (digsig == 1) set_bit(IMA_DIGSIG, &iint->atomic_flags); - else + else if (digsig == 0) clear_bit(IMA_DIGSIG, &iint->atomic_flags); }
@@ -794,6 +803,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) { digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG); + } else { + digsig = -1; } if (result == 1 || evm_revalidate_status(xattr_name)) { ima_reset_appraise_flags(d_backing_inode(dentry), digsig); @@ -807,7 +818,7 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, const char *acl_name, struct posix_acl *kacl) { if (evm_revalidate_status(acl_name)) - ima_reset_appraise_flags(d_backing_inode(dentry), 0); + ima_reset_appraise_flags(d_backing_inode(dentry), -1);
return 0; } @@ -815,11 +826,13 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *xattr_name) { - int result; + int result, digsig = -1;
result = ima_protect_xattr(dentry, xattr_name, NULL, 0); if (result == 1 || evm_revalidate_status(xattr_name)) { - ima_reset_appraise_flags(d_backing_inode(dentry), 0); + if (!strcmp(xattr_name, XATTR_NAME_IMA)) + digsig = 0; + ima_reset_appraise_flags(d_backing_inode(dentry), digsig); if (result == 1) result = 0; }