tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

evm: fix security.evm for a file with IMA signature

When both IMA and EVM fix modes are enabled, accessing a file with IMA
signature but missing EVM HMAC won't cause security.evm to be fixed.

Add a function evm_fix_hmac which will be explicitly called to fix EVM
HMAC for this case.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Coiby Xu and committed by
Mimi Zohar 0ec959cf a2e507af

+41
+8
include/linux/evm.h
··· 18 18 const char *xattr_name, 19 19 void *xattr_value, 20 20 size_t xattr_value_len); 21 + int evm_fix_hmac(struct dentry *dentry, const char *xattr_name, 22 + const char *xattr_value, size_t xattr_value_len); 21 23 int evm_inode_init_security(struct inode *inode, struct inode *dir, 22 24 const struct qstr *qstr, struct xattr *xattrs, 23 25 int *xattr_count); ··· 52 50 size_t xattr_value_len) 53 51 { 54 52 return INTEGRITY_UNKNOWN; 53 + } 54 + 55 + static inline int evm_fix_hmac(struct dentry *dentry, const char *xattr_name, 56 + const char *xattr_value, size_t xattr_value_len) 57 + { 58 + return -EOPNOTSUPP; 55 59 } 56 60 #endif 57 61
+28
security/integrity/evm/evm_main.c
··· 796 796 } 797 797 798 798 /** 799 + * evm_fix_hmac - Calculate the HMAC and add it to security.evm for fix mode 800 + * @dentry: pointer to the affected dentry which doesn't yet have security.evm 801 + * xattr 802 + * @xattr_name: pointer to the affected extended attribute name 803 + * @xattr_value: pointer to the new extended attribute value 804 + * @xattr_value_len: pointer to the new extended attribute value length 805 + * 806 + * Expects to be called with i_mutex locked. 807 + * 808 + * Return: 0 on success, -EPERM/-ENOMEM/-EOPNOTSUPP on failure 809 + */ 810 + int evm_fix_hmac(struct dentry *dentry, const char *xattr_name, 811 + const char *xattr_value, size_t xattr_value_len) 812 + 813 + { 814 + if (!evm_fixmode || !evm_revalidate_status((xattr_name))) 815 + return -EPERM; 816 + 817 + if (!(evm_initialized & EVM_INIT_HMAC)) 818 + return -EPERM; 819 + 820 + if (is_unsupported_hmac_fs(dentry)) 821 + return -EOPNOTSUPP; 822 + 823 + return evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 824 + } 825 + 826 + /** 799 827 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 800 828 * @dentry: pointer to the affected dentry 801 829 * @xattr_name: pointer to the affected extended attribute name
+5
security/integrity/ima/ima_appraise.c
··· 591 591 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { 592 592 if (!ima_fix_xattr(dentry, iint)) 593 593 status = INTEGRITY_PASS; 594 + } else if (status == INTEGRITY_NOLABEL) { 595 + if (!evm_fix_hmac(dentry, XATTR_NAME_IMA, 596 + (const char *)xattr_value, 597 + xattr_len)) 598 + status = INTEGRITY_PASS; 594 599 } 595 600 596 601 /*