lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a0657cec664efcedb3d2501ac10e7365fd196e77.camel@linux.ibm.com>
Date:   Tue, 11 May 2021 09:42:08 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>, mjg59@...gle.com
Cc:     linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6 04/11] evm: Introduce evm_status_revalidate()

On Wed, 2021-05-05 at 13:29 +0200, Roberto Sassu wrote:
> When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on
> metadata. Its main purpose is to allow users to freely set metadata when it
> is protected by a portable signature, until an HMAC key is loaded.
> 
> However, callers of evm_verifyxattr() are not notified about metadata
> changes and continue to rely on the last status returned by the function.
> For example IMA, since it caches the appraisal result, will not call again
> evm_verifyxattr() until the appraisal flags are cleared, and will grant
> access to the file even if there was a metadata operation that made the
> portable signature invalid.
> 
> This patch introduces evm_status_revalidate(), which callers of
> evm_verifyxattr() can use in their xattr hooks to determine whether
> re-validation is necessary and to do the proper actions. IMA calls it in
> its xattr hooks to reset the appraisal flags, so that the EVM status is
> re-evaluated after a metadata operation.
> 
> Lastly, this patch also adds a call to evm_reset_status() in
> evm_inode_post_setattr() to invalidate the cached EVM status after a
> setattr operation.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>

I'm really  sorry for the patch churn, but could you rename
evm_status_revalidate() to evm_revalidate_status().

Otherwise,

Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>

thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ