[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <956020eb1babea38fa904aadfdbc4c81b9fb7baa.camel@linux.ibm.com>
Date: Tue, 11 May 2021 09:42:15 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...wei.com>, mjg59@...gle.com
Cc: linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RESEND][PATCH v6 05/11] evm: Introduce evm_hmac_disabled() to
safely ignore verification errors
On Fri, 2021-05-07 at 15:31 +0200, Roberto Sassu wrote:
> When a file is being created, LSMs can set the initial label with the
> inode_init_security hook. If no HMAC key is loaded, the new file will have
> LSM xattrs but not the HMAC. It is also possible that the file remains
> without protected xattrs after creation if no active LSM provided it.
>
> Unfortunately, EVM will deny any further metadata operation on new files,
> as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error, or
> INTEGRITY_NOXATTRS if no protected xattrs exist. This would limit the
> usability of EVM when only a public key is loaded, as commands such as cp
> or tar with the option to preserve xattrs won't work.
>
> This patch introduces the evm_hmac_disabled() function to determine whether
> or not it is safe to ignore verification errors, based on the ability of
> EVM to calculate HMACs. If the HMAC key is not loaded, and it cannot be
> loaded in the future due to the EVM_SETUP_COMPLETE initialization flag,
> allowing an operation despite the attrs/xattrs being found invalid will not
> make them valid.
>
> Since the post hooks can be executed even when the HMAC key is not loaded,
> this patch also ensures that the EVM_INIT_HMAC initialization flag is set
> before the post hooks call evm_update_evmxattr().
>
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> Suggested-by: Mimi Zohar <zohar@...ux.ibm.com>
Thanks, Robert!
Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
Powered by blists - more mailing lists