lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 11 Nov 2020 10:22:57 +0100
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     <zohar@...ux.ibm.com>, <mjg59@...gle.com>
CC:     <linux-integrity@...r.kernel.org>,
        <linux-security-module@...r.kernel.org>,
        <linux-fsdevel@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <silviu.vlasceanu@...wei.com>,
        Roberto Sassu <roberto.sassu@...wei.com>
Subject: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded

When a file is being created, LSMs can set the initial label with the
inode_init_security hook. If no HMAC key is loaded, the new file will have
LSM xattrs but not the HMAC.

Unfortunately, EVM will deny any further metadata operation on new files,
as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error. This
would limit the usability of EVM when only a public key is loaded, as
commands such as cp or tar with the option to preserve xattrs won't work.

Ignoring this error won't be an issue if no HMAC key is loaded, as the
inode is locked until the post hook, and EVM won't calculate the HMAC on
metadata that wasn't previously verified. Thus this patch checks if an
HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.

Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
---
 security/integrity/evm/evm_main.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index b38ffa39faa8..4f4404a12bbd 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -354,6 +354,14 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
 				    -EPERM, 0);
 	}
 out:
+	/*
+	 * Ignoring INTEGRITY_NOLABEL is safe if no HMAC key is loaded, as
+	 * EVM won't calculate the HMAC of metadata that wasn't previously
+	 * verified.
+	 */
+	if (evm_status == INTEGRITY_NOLABEL &&
+	    !(evm_initialized & EVM_INIT_HMAC))
+		return 0;
 	if (evm_status != INTEGRITY_PASS)
 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 				    dentry->d_name.name, "appraise_metadata",
@@ -514,8 +522,15 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 	if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
 		return 0;
 	evm_status = evm_verify_current_integrity(dentry);
+	/*
+	 * Ignoring INTEGRITY_NOLABEL is safe if no HMAC key is loaded, as
+	 * EVM won't calculate the HMAC of metadata that wasn't previously
+	 * verified.
+	 */
 	if ((evm_status == INTEGRITY_PASS) ||
-	    (evm_status == INTEGRITY_NOXATTRS))
+	    (evm_status == INTEGRITY_NOXATTRS) ||
+	    (evm_status == INTEGRITY_NOLABEL &&
+	     !(evm_initialized & EVM_INIT_HMAC)))
 		return 0;
 	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 			    dentry->d_name.name, "appraise_metadata",
-- 
2.27.GIT

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ