tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

evm: Use ordered xattrs list to calculate HMAC in evm_init_hmac()

Commit 8e5d9f916a96 ("smack: deduplicate xattr setting in
smack_inode_init_security()") introduced xattr_dupval() to simplify setting
the xattrs to be provided by the SMACK LSM on inode creation, in the
smack_inode_init_security().

Unfortunately, moving lsm_get_xattr_slot() caused the SMACK64TRANSMUTE
xattr be added in the array of new xattrs before SMACK64. This causes the
HMAC of xattrs calculated by evm_init_hmac() for new files to diverge from
the one calculated by both evm_calc_hmac_or_hash() and evmctl.

evm_init_hmac() calculates the HMAC of the xattrs of new files based on the
order LSMs provide them, while evm_calc_hmac_or_hash() and evmctl calculate
the HMAC based on an ordered xattrs list.

Fix the issue by making evm_init_hmac() calculate the HMAC of new files
based on the ordered xattrs list too.

Fixes: 8e5d9f916a96 ("smack: deduplicate xattr setting in smack_inode_init_security()")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Roberto Sassu and committed by
Mimi Zohar 0496fc9c 377cae98

+10 -4
+10 -4
security/integrity/evm/evm_crypto.c
··· 401 401 { 402 402 struct shash_desc *desc; 403 403 const struct xattr *xattr; 404 + struct xattr_list *xattr_entry; 404 405 405 406 desc = init_desc(EVM_XATTR_HMAC, HASH_ALGO_SHA1); 406 407 if (IS_ERR(desc)) { ··· 409 408 return PTR_ERR(desc); 410 409 } 411 410 412 - for (xattr = xattrs; xattr->name; xattr++) { 413 - if (!evm_protected_xattr(xattr->name)) 414 - continue; 411 + list_for_each_entry_lockless(xattr_entry, &evm_config_xattrnames, 412 + list) { 413 + for (xattr = xattrs; xattr->name; xattr++) { 414 + if (strcmp(xattr_entry->name + 415 + XATTR_SECURITY_PREFIX_LEN, xattr->name) != 0) 416 + continue; 415 417 416 - crypto_shash_update(desc, xattr->value, xattr->value_len); 418 + crypto_shash_update(desc, xattr->value, 419 + xattr->value_len); 420 + } 417 421 } 418 422 419 423 hmac_add_misc(desc, inode, EVM_XATTR_HMAC, hmac_val);