| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b9f1a31e9b2dfb7a7167574a39652932263488e8.camel@linux.ibm.com>
Date: Thu, 03 Dec 2020 15:42:44 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...wei.com>, mjg59@...gle.com
Cc: linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
silviu.vlasceanu@...wei.com
Subject: Re: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key
is loaded
Hi Roberto,
On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> When a file is being created, LSMs can set the initial label with the
> inode_init_security hook. If no HMAC key is loaded, the new file will have
> LSM xattrs but not the HMAC.
>
> Unfortunately, EVM will deny any further metadata operation on new files,
> as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error. This
> would limit the usability of EVM when only a public key is loaded, as
> commands such as cp or tar with the option to preserve xattrs won't work.
>
> Ignoring this error won't be an issue if no HMAC key is loaded, as the
> inode is locked until the post hook, and EVM won't calculate the HMAC on
> metadata that wasn't previously verified. Thus this patch checks if an
> HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.
I'm not sure what problem this patch is trying to solve.
evm_protect_xattr() is only called by evm_inode_setxattr() and
evm_inode_removexattr(), which first checks whether
EVM_ALLOW_METADATA_WRITES is enabled.
Mimi
Powered by blists - more mailing lists