| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250930022658.4033410-1-coxu@redhat.com>
Date: Tue, 30 Sep 2025 10:26:56 +0800
From: Coiby Xu <coxu@...hat.com>
To: linux-integrity@...r.kernel.org,
Mimi Zohar <zohar@...ux.ibm.com>
Cc: Roberto Sassu <roberto.sassu@...wei.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
Eric Snowberg <eric.snowberg@...cle.com>,
Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
linux-kernel@...r.kernel.org (open list),
linux-security-module@...r.kernel.org (open list:SECURITY SUBSYSTEM)
Subject: [PATCH v2 1/2] evm: fix security.evm for a file with IMA signature
When both IMA and EVM fix modes are enabled, accessing a file with IMA
signature but missing EVM HMAC won't cause security.evm to be fixed.
Add a function evm_fix_hmac which will be explicitly called to fix EVM
HMAC for this case.
Suggested-by: Mimi Zohar <zohar@...ux.ibm.com>
Signed-off-by: Coiby Xu <coxu@...hat.com>
---
include/linux/evm.h | 8 ++++++++
security/integrity/evm/evm_main.c | 28 +++++++++++++++++++++++++++
security/integrity/ima/ima_appraise.c | 5 +++++
3 files changed, 41 insertions(+)
diff --git a/include/linux/evm.h b/include/linux/evm.h
index ddece4a6b25d..913f4573b203 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -18,6 +18,8 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
const char *xattr_name,
void *xattr_value,
size_t xattr_value_len);
+int evm_fix_hmac(struct dentry *dentry, const char *xattr_name,
+ const char *xattr_value, size_t xattr_value_len);
int evm_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr, struct xattr *xattrs,
int *xattr_count);
@@ -51,6 +53,12 @@ static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
{
return INTEGRITY_UNKNOWN;
}
+
+static inline int evm_fix_hmac(struct dentry *dentry, const char *xattr_name,
+ const char *xattr_value, size_t xattr_value_len)
+{
+ return -EOPNOTSUPP;
+}
#endif
static inline int evm_inode_init_security(struct inode *inode, struct inode *dir,
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 0add782e73ba..1b3edc6d26e9 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -787,6 +787,34 @@ bool evm_revalidate_status(const char *xattr_name)
return true;
}
+/**
+ * evm_fix_hmac - Calculate the HMAC and add it to security.evm for fix mode
+ * @dentry: pointer to the affected dentry which doesn't yet have security.evm
+ * xattr
+ * @xattr_name: pointer to the affected extended attribute name
+ * @xattr_value: pointer to the new extended attribute value
+ * @xattr_value_len: pointer to the new extended attribute value length
+ *
+ * Expects to be called with i_mutex locked.
+ *
+ * Return: 0 on success, -EPERM/-ENOMEM/-EOPNOTSUPP on failure
+ */
+int evm_fix_hmac(struct dentry *dentry, const char *xattr_name,
+ const char *xattr_value, size_t xattr_value_len)
+
+{
+ if (!evm_fixmode || !evm_revalidate_status((xattr_name)))
+ return -EPERM;
+
+ if (!(evm_initialized & EVM_INIT_HMAC))
+ return -EPERM;
+
+ if (is_unsupported_hmac_fs(dentry))
+ return -EOPNOTSUPP;
+
+ return evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
+}
+
/**
* evm_inode_post_setxattr - update 'security.evm' to reflect the changes
* @dentry: pointer to the affected dentry
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f435eff4667f..f48ef5ec185e 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -601,6 +601,11 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
if (!ima_fix_xattr(dentry, iint))
status = INTEGRITY_PASS;
+ } else if (status == INTEGRITY_NOLABEL) {
+ if (!evm_fix_hmac(dentry, XATTR_NAME_IMA,
+ (const char *)xattr_value,
+ xattr_len))
+ status = INTEGRITY_PASS;
}
/*
base-commit: e129e479f2e444eaccd822717d418119d39d3d5c
--
2.51.0
Powered by blists - more mailing lists