All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v3 00/11] evm: Improve usability of portable signatures
@ 2020-11-11  9:22 Roberto Sassu
  2020-11-11  9:22 ` [PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Roberto Sassu
                   ` (11 more replies)
  0 siblings, 12 replies; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:22 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

EVM portable signatures are particularly suitable for the protection of
metadata of immutable files where metadata is signed by a software vendor.
They can be used for example in conjunction with an IMA policy that
appraises only executed and memory mapped files.

However, some usability issues are still unsolved, especially when EVM is
used without loading an HMAC key. This patch set attempts to fix the open
issues.

Patch 1 allows EVM to be used without loading an HMAC key. Patch 2 avoids
appraisal verification of public keys (they are already verified by the key
subsystem).

Patches 3-5 allow metadata verification to be turned off when no HMAC key
is loaded and to use this mode in a safe way (by ensuring that IMA
revalidates metadata when there is a change).

Patches 6-8 make portable signatures more usable if metadata verification
is not turned off, by ignoring the INTEGRITY_NOLABEL error when no HMAC key
is loaded, by accepting any metadata modification until signature
verification succeeds (useful when xattrs/attrs are copied sequentially
from a source) and by allowing operations that don't change metadata.

Patch 9 makes it possible to use portable signatures when the IMA policy
requires file signatures and patch 10 shows portable signatures in the
measurement list when the ima-sig template is selected.

Lastly, patch 11 avoids undesired removal of security.ima when a file is
not selected by the IMA policy.

Roberto Sassu (11):
  evm: Execute evm_inode_init_security() only when an HMAC key is loaded
  evm: Load EVM key in ima_load_x509() to avoid appraisal
  evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
  ima: Move ima_reset_appraise_flags() call to post hooks
  evm: Introduce evm_status_revalidate()
  evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded
  evm: Allow xattr/attr operations for portable signatures
  evm: Allow setxattr() and setattr() for unmodified metadata
  ima: Allow imasig requirement to be satisfied by EVM portable
    signatures
  ima: Introduce template field evmsig and write to field sig as
    fallback
  ima: Don't remove security.ima if file must not be appraised

 Documentation/ABI/testing/evm             |   5 +-
 Documentation/security/IMA-templates.rst  |   4 +-
 fs/xattr.c                                |   2 +
 include/linux/evm.h                       |   6 +
 include/linux/ima.h                       |  19 ++-
 include/linux/integrity.h                 |   1 +
 security/integrity/evm/evm_main.c         | 178 ++++++++++++++++++++--
 security/integrity/evm/evm_secfs.c        |   2 +-
 security/integrity/iint.c                 |   2 +
 security/integrity/ima/ima_appraise.c     |  52 +++++--
 security/integrity/ima/ima_init.c         |   4 +
 security/integrity/ima/ima_template.c     |   2 +
 security/integrity/ima/ima_template_lib.c |  32 +++-
 security/integrity/ima/ima_template_lib.h |   2 +
 security/security.c                       |   4 +-
 15 files changed, 275 insertions(+), 40 deletions(-)

-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
@ 2020-11-11  9:22 ` Roberto Sassu
  2020-12-02 17:03   ` Mimi Zohar
  2020-11-11  9:22 ` [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
                   ` (10 subsequent siblings)
  11 siblings, 1 reply; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:22 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu, stable

evm_inode_init_security() requires an HMAC key to calculate the HMAC on
initial xattrs provided by LSMs. However, it checks generically whether a
key has been loaded, including also public keys, which is not correct as
public keys are not suitable to calculate the HMAC.

Originally, support for signature verification was introduced to verify a
possibly immutable initial ram disk, when no new files are created, and to
switch to HMAC for the root filesystem. By that time, an HMAC key should
have been loaded and usable to calculate HMACs for new files.

More recently support for requiring an HMAC key was removed from the
kernel, so that signature verification can be used alone. Since this is a
legitimate use case, evm_inode_init_security() should not return an error
when no HMAC key has been loaded.

This patch fixes this problem by replacing the evm_key_loaded() check with
a check of the EVM_INIT_HMAC flag in evm_initialized.

Cc: stable@vger.kernel.org # 4.5.x
Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/evm/evm_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 76d19146d74b..001e001eae01 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -530,7 +530,8 @@ int evm_inode_init_security(struct inode *inode,
 	struct evm_xattr *xattr_data;
 	int rc;
 
-	if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
+	if (!(evm_initialized & EVM_INIT_HMAC) ||
+	    !evm_protected_xattr(lsm_xattr->name))
 		return 0;
 
 	xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
  2020-11-11  9:22 ` [PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Roberto Sassu
@ 2020-11-11  9:22 ` Roberto Sassu
  2020-12-02 17:27   ` Mimi Zohar
  2021-03-01 18:06   ` Mimi Zohar
  2020-11-11  9:22 ` [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded Roberto Sassu
                   ` (9 subsequent siblings)
  11 siblings, 2 replies; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:22 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

Public keys do not need to be appraised by IMA as the restriction on the
IMA/EVM keyrings ensures that a key can be loaded only if it is signed with
a key in the primary or secondary keyring.

However, when evm_load_x509() is called, appraisal is already enabled and
a valid IMA signature must be added to the EVM key to pass verification.

Since the restriction is applied on both IMA and EVM keyrings, it is safe
to disable appraisal also when the EVM key is loaded. This patch calls
evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is defined.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/iint.c         | 2 ++
 security/integrity/ima/ima_init.c | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 1d20003243c3..7d08c31c612f 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -200,7 +200,9 @@ int integrity_kernel_read(struct file *file, loff_t offset,
 void __init integrity_load_keys(void)
 {
 	ima_load_x509();
+#ifndef CONFIG_IMA_LOAD_X509
 	evm_load_x509();
+#endif
 }
 
 static int __init integrity_fs_init(void)
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 4902fe7bd570..9d29a1680da8 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -106,6 +106,10 @@ void __init ima_load_x509(void)
 
 	ima_policy_flag &= ~unset_flags;
 	integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH);
+
+	/* load also EVM key to avoid appraisal */
+	evm_load_x509();
+
 	ima_policy_flag |= unset_flags;
 }
 #endif
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
  2020-11-11  9:22 ` [PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Roberto Sassu
  2020-11-11  9:22 ` [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
@ 2020-11-11  9:22 ` Roberto Sassu
  2020-12-02 21:07   ` Mimi Zohar
  2020-11-11  9:22 ` [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks Roberto Sassu
                   ` (8 subsequent siblings)
  11 siblings, 1 reply; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:22 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu, stable

EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to
temporarily disable metadata verification until all xattrs/attrs necessary
to verify an EVM portable signature are copied to the file. This flag is
cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is
calculated on unverified xattrs/attrs.

Currently EVM unnecessarily denies setting this flag if EVM is initialized
with a public key, which is not a concern as it cannot be used to trust
xattrs/attrs updates. This patch removes this limitation.

Cc: stable@vger.kernel.org # 4.16.x
Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 Documentation/ABI/testing/evm      | 5 +++--
 security/integrity/evm/evm_secfs.c | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
index 3c477ba48a31..eb6d70fd6fa2 100644
--- a/Documentation/ABI/testing/evm
+++ b/Documentation/ABI/testing/evm
@@ -49,8 +49,9 @@ Description:
 		modification of EVM-protected metadata and
 		disable all further modification of policy
 
-		Note that once a key has been loaded, it will no longer be
-		possible to enable metadata modification.
+		Note that once an HMAC key has been loaded, it will no longer
+		be possible to enable metadata modification and, if it is
+		already enabled, it will be disabled.
 
 		Until key loading has been signaled EVM can not create
 		or validate the 'security.evm' xattr, but returns
diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
index cfc3075769bb..92fe26ace797 100644
--- a/security/integrity/evm/evm_secfs.c
+++ b/security/integrity/evm/evm_secfs.c
@@ -84,7 +84,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
 	 * keys are loaded.
 	 */
 	if ((i & EVM_ALLOW_METADATA_WRITES) &&
-	    ((evm_initialized & EVM_KEY_MASK) != 0) &&
+	    ((evm_initialized & EVM_INIT_HMAC) != 0) &&
 	    !(evm_initialized & EVM_ALLOW_METADATA_WRITES))
 		return -EPERM;
 
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
                   ` (2 preceding siblings ...)
  2020-11-11  9:22 ` [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded Roberto Sassu
@ 2020-11-11  9:22 ` Roberto Sassu
  2020-12-02 11:56   ` Roberto Sassu
  2020-11-11  9:22 ` [PATCH v3 05/11] evm: Introduce evm_status_revalidate() Roberto Sassu
                   ` (7 subsequent siblings)
  11 siblings, 1 reply; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:22 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

ima_inode_setxattr() and ima_inode_removexattr() hooks are called before an
operation is performed. Thus, ima_reset_appraise_flags() should not be
called there, as flags might be unnecessarily reset if the operation is
denied.

This patch introduces the post hooks ima_inode_post_setxattr() and
ima_inode_post_removexattr(), removes ima_inode_removexattr() and adds the
call to ima_reset_appraise_flags() in the new functions.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 fs/xattr.c                            |  2 ++
 include/linux/ima.h                   | 19 +++++++++++++++----
 security/integrity/ima/ima_appraise.c | 22 +++++++++++++++-------
 security/security.c                   |  4 +---
 4 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/fs/xattr.c b/fs/xattr.c
index cd7a563e8bcd..149b8cf5f99f 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -16,6 +16,7 @@
 #include <linux/namei.h>
 #include <linux/security.h>
 #include <linux/evm.h>
+#include <linux/ima.h>
 #include <linux/syscalls.h>
 #include <linux/export.h>
 #include <linux/fsnotify.h>
@@ -474,6 +475,7 @@ __vfs_removexattr_locked(struct dentry *dentry, const char *name,
 
 	if (!error) {
 		fsnotify_xattr(dentry);
+		ima_inode_post_removexattr(dentry, name);
 		evm_inode_post_removexattr(dentry, name);
 	}
 
diff --git a/include/linux/ima.h b/include/linux/ima.h
index ac3d82f962f2..19a775fa2ba5 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -150,7 +150,12 @@ extern bool is_ima_appraise_enabled(void);
 extern void ima_inode_post_setattr(struct dentry *dentry);
 extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 		       const void *xattr_value, size_t xattr_value_len);
-extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name);
+extern void ima_inode_post_setxattr(struct dentry *dentry,
+				    const char *xattr_name,
+				    const void *xattr_value,
+				    size_t xattr_value_len);
+extern void ima_inode_post_removexattr(struct dentry *dentry,
+				       const char *xattr_name);
 #else
 static inline bool is_ima_appraise_enabled(void)
 {
@@ -170,10 +175,16 @@ static inline int ima_inode_setxattr(struct dentry *dentry,
 	return 0;
 }
 
-static inline int ima_inode_removexattr(struct dentry *dentry,
-					const char *xattr_name)
+static inline void ima_inode_post_setxattr(struct dentry *dentry,
+					   const char *xattr_name,
+					   const void *xattr_value,
+					   size_t xattr_value_len)
+{
+}
+
+static inline void ima_inode_post_removexattr(struct dentry *dentry,
+					      const char *xattr_name)
 {
-	return 0;
 }
 #endif /* CONFIG_IMA_APPRAISE */
 
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 8361941ee0a1..77c01f50425e 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -574,21 +574,29 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 	if (result == 1) {
 		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
 			return -EINVAL;
-		ima_reset_appraise_flags(d_backing_inode(dentry),
-			xvalue->type == EVM_IMA_XATTR_DIGSIG);
 		result = 0;
 	}
 	return result;
 }
 
-int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
+void ima_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
+			     const void *xattr_value, size_t xattr_value_len)
+{
+	const struct evm_ima_xattr_data *xvalue = xattr_value;
+	int result;
+
+	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
+				   xattr_value_len);
+	if (result == 1)
+		ima_reset_appraise_flags(d_backing_inode(dentry),
+			xvalue->type == EVM_IMA_XATTR_DIGSIG);
+}
+
+void ima_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 {
 	int result;
 
 	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
-	if (result == 1) {
+	if (result == 1)
 		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
-		result = 0;
-	}
-	return result;
 }
diff --git a/security/security.c b/security/security.c
index a28045dc9e7f..fc43f45938b4 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1309,6 +1309,7 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name,
 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
 		return;
 	call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
+	ima_inode_post_setxattr(dentry, name, value, size);
 	evm_inode_post_setxattr(dentry, name, value, size);
 }
 
@@ -1339,9 +1340,6 @@ int security_inode_removexattr(struct dentry *dentry, const char *name)
 	ret = call_int_hook(inode_removexattr, 1, dentry, name);
 	if (ret == 1)
 		ret = cap_inode_removexattr(dentry, name);
-	if (ret)
-		return ret;
-	ret = ima_inode_removexattr(dentry, name);
 	if (ret)
 		return ret;
 	return evm_inode_removexattr(dentry, name);
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 05/11] evm: Introduce evm_status_revalidate()
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
                   ` (3 preceding siblings ...)
  2020-11-11  9:22 ` [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks Roberto Sassu
@ 2020-11-11  9:22 ` Roberto Sassu
  2020-11-11  9:22 ` [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded Roberto Sassu
                   ` (6 subsequent siblings)
  11 siblings, 0 replies; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:22 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on
metadata. Its main purpose is to allow users to freely set metadata when it
is protected by a portable signature, until an HMAC key is loaded.

However, callers of evm_verifyxattr() are not notified about metadata
changes and continue to rely on the last status returned by the function.
For example IMA, since it caches the appraisal result, will not call again
evm_verifyxattr() until the appraisal flags are cleared, and will grant
access to the file even if there was a metadata operation that made the
portable signature invalid.

This patch introduces evm_status_revalidate(), which callers of
evm_verifyxattr() can use in their xattr post hooks to determine whether
re-validation is necessary and to do the proper actions. IMA calls it in
its xattr post hooks to reset the appraisal flags, so that the EVM status
is re-evaluated after a metadata operation.

Lastly, this patch also adds a call to evm_reset_status() in
evm_inode_post_setattr() to invalidate the cached EVM status after a
setattr operation.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 include/linux/evm.h                   |  6 +++++
 security/integrity/evm/evm_main.c     | 33 +++++++++++++++++++++++----
 security/integrity/ima/ima_appraise.c |  8 ++++---
 3 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/include/linux/evm.h b/include/linux/evm.h
index 8302bc29bb35..e5b7bcb152b9 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -35,6 +35,7 @@ extern void evm_inode_post_removexattr(struct dentry *dentry,
 extern int evm_inode_init_security(struct inode *inode,
 				   const struct xattr *xattr_array,
 				   struct xattr *evm);
+extern bool evm_status_revalidate(const char *xattr_name);
 #ifdef CONFIG_FS_POSIX_ACL
 extern int posix_xattr_acl(const char *xattrname);
 #else
@@ -104,5 +105,10 @@ static inline int evm_inode_init_security(struct inode *inode,
 	return 0;
 }
 
+static inline bool evm_status_revalidate(const char *xattr_name)
+{
+	return false;
+}
+
 #endif /* CONFIG_EVM */
 #endif /* LINUX_EVM_H */
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 001e001eae01..b38ffa39faa8 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -425,6 +425,30 @@ static void evm_reset_status(struct inode *inode)
 		iint->evm_status = INTEGRITY_UNKNOWN;
 }
 
+/**
+ * evm_status_revalidate - report whether EVM status re-validation is necessary
+ * @xattr_name: pointer to the affected extended attribute name
+ *
+ * Report whether callers of evm_verifyxattr() should re-validate the
+ * EVM status.
+ *
+ * Return true if re-validation is necessary, false otherwise.
+ */
+bool evm_status_revalidate(const char *xattr_name)
+{
+	if (!evm_key_loaded())
+		return false;
+
+	/* evm_inode_post_setattr() passes NULL */
+	if (!xattr_name)
+		return true;
+
+	if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name))
+		return false;
+
+	return true;
+}
+
 /**
  * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
  * @dentry: pointer to the affected dentry
@@ -441,8 +465,7 @@ static void evm_reset_status(struct inode *inode)
 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 			     const void *xattr_value, size_t xattr_value_len)
 {
-	if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
-				  && !posix_xattr_acl(xattr_name)))
+	if (!evm_status_revalidate(xattr_name))
 		return;
 
 	evm_reset_status(dentry->d_inode);
@@ -462,7 +485,7 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
  */
 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 {
-	if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
+	if (!evm_status_revalidate(xattr_name))
 		return;
 
 	evm_reset_status(dentry->d_inode);
@@ -513,9 +536,11 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
  */
 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
 {
-	if (!evm_key_loaded())
+	if (!evm_status_revalidate(NULL))
 		return;
 
+	evm_reset_status(dentry->d_inode);
+
 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
 		evm_update_evmxattr(dentry, NULL, NULL, 0);
 }
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 77c01f50425e..7b13ba543873 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -583,13 +583,15 @@ void ima_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 			     const void *xattr_value, size_t xattr_value_len)
 {
 	const struct evm_ima_xattr_data *xvalue = xattr_value;
+	int digsig = 0;
 	int result;
 
 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
 				   xattr_value_len);
 	if (result == 1)
-		ima_reset_appraise_flags(d_backing_inode(dentry),
-			xvalue->type == EVM_IMA_XATTR_DIGSIG);
+		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
+	if (result == 1 || evm_status_revalidate(xattr_name))
+		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
 }
 
 void ima_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
@@ -597,6 +599,6 @@ void ima_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 	int result;
 
 	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
-	if (result == 1)
+	if (result == 1 || evm_status_revalidate(xattr_name))
 		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
 }
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
                   ` (4 preceding siblings ...)
  2020-11-11  9:22 ` [PATCH v3 05/11] evm: Introduce evm_status_revalidate() Roberto Sassu
@ 2020-11-11  9:22 ` Roberto Sassu
  2020-12-03 20:42   ` Mimi Zohar
  2020-11-11  9:22 ` [PATCH v3 07/11] evm: Allow xattr/attr operations for portable signatures Roberto Sassu
                   ` (5 subsequent siblings)
  11 siblings, 1 reply; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:22 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

When a file is being created, LSMs can set the initial label with the
inode_init_security hook. If no HMAC key is loaded, the new file will have
LSM xattrs but not the HMAC.

Unfortunately, EVM will deny any further metadata operation on new files,
as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error. This
would limit the usability of EVM when only a public key is loaded, as
commands such as cp or tar with the option to preserve xattrs won't work.

Ignoring this error won't be an issue if no HMAC key is loaded, as the
inode is locked until the post hook, and EVM won't calculate the HMAC on
metadata that wasn't previously verified. Thus this patch checks if an
HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/evm/evm_main.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index b38ffa39faa8..4f4404a12bbd 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -354,6 +354,14 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
 				    -EPERM, 0);
 	}
 out:
+	/*
+	 * Ignoring INTEGRITY_NOLABEL is safe if no HMAC key is loaded, as
+	 * EVM won't calculate the HMAC of metadata that wasn't previously
+	 * verified.
+	 */
+	if (evm_status == INTEGRITY_NOLABEL &&
+	    !(evm_initialized & EVM_INIT_HMAC))
+		return 0;
 	if (evm_status != INTEGRITY_PASS)
 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 				    dentry->d_name.name, "appraise_metadata",
@@ -514,8 +522,15 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 	if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
 		return 0;
 	evm_status = evm_verify_current_integrity(dentry);
+	/*
+	 * Ignoring INTEGRITY_NOLABEL is safe if no HMAC key is loaded, as
+	 * EVM won't calculate the HMAC of metadata that wasn't previously
+	 * verified.
+	 */
 	if ((evm_status == INTEGRITY_PASS) ||
-	    (evm_status == INTEGRITY_NOXATTRS))
+	    (evm_status == INTEGRITY_NOXATTRS) ||
+	    (evm_status == INTEGRITY_NOLABEL &&
+	     !(evm_initialized & EVM_INIT_HMAC)))
 		return 0;
 	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 			    dentry->d_name.name, "appraise_metadata",
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 07/11] evm: Allow xattr/attr operations for portable signatures
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
                   ` (5 preceding siblings ...)
  2020-11-11  9:22 ` [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded Roberto Sassu
@ 2020-11-11  9:22 ` Roberto Sassu
  2020-11-11  9:22 ` [PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata Roberto Sassu
                   ` (4 subsequent siblings)
  11 siblings, 0 replies; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:22 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

If files with portable signatures are copied from one location to another
or are extracted from an archive, verification can temporarily fail until
all xattrs/attrs are set in the destination. Only portable signatures may
be moved or copied from one file to another, as they don't depend on
system-specific information such as the inode generation. Instead portable
signatures must include security.ima.

Unlike other security.evm types, EVM portable signatures are also
immutable. Thus, it wouldn't be a problem to allow xattr/attr operations
when verification fails, as portable signatures will never be replaced with
the HMAC on possibly corrupted xattrs/attrs.

This patch first introduces a new integrity status called
INTEGRITY_FAIL_IMMUTABLE, that allows callers of
evm_verify_current_integrity() to detect that a portable signature didn't
pass verification and then adds an exception in evm_protect_xattr() and
evm_inode_setattr() for this status and returns 0 instead of -EPERM.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 include/linux/integrity.h             |  1 +
 security/integrity/evm/evm_main.c     | 31 +++++++++++++++++++++------
 security/integrity/ima/ima_appraise.c |  2 ++
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index 2271939c5c31..2ea0f2f65ab6 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -13,6 +13,7 @@ enum integrity_status {
 	INTEGRITY_PASS = 0,
 	INTEGRITY_PASS_IMMUTABLE,
 	INTEGRITY_FAIL,
+	INTEGRITY_FAIL_IMMUTABLE,
 	INTEGRITY_NOLABEL,
 	INTEGRITY_NOXATTRS,
 	INTEGRITY_UNKNOWN,
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 4f4404a12bbd..60ab700735ea 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -27,7 +27,8 @@
 int evm_initialized;
 
 static const char * const integrity_status_msg[] = {
-	"pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
+	"pass", "pass_immutable", "fail", "fail_immutable", "no_label",
+	"no_xattrs", "unknown"
 };
 int evm_hmac_attrs;
 
@@ -137,7 +138,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 	enum integrity_status evm_status = INTEGRITY_PASS;
 	struct evm_digest digest;
 	struct inode *inode;
-	int rc, xattr_len;
+	int rc, xattr_len, evm_immutable = 0;
 
 	if (iint && (iint->evm_status == INTEGRITY_PASS ||
 		     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
@@ -182,8 +183,10 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 		if (rc)
 			rc = -EINVAL;
 		break;
-	case EVM_IMA_XATTR_DIGSIG:
 	case EVM_XATTR_PORTABLE_DIGSIG:
+		evm_immutable = 1;
+		fallthrough;
+	case EVM_IMA_XATTR_DIGSIG:
 		/* accept xattr with non-empty signature field */
 		if (xattr_len <= sizeof(struct signature_v2_hdr)) {
 			evm_status = INTEGRITY_FAIL;
@@ -220,9 +223,12 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 		break;
 	}
 
-	if (rc)
-		evm_status = (rc == -ENODATA) ?
-				INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
+	if (rc) {
+		evm_status = INTEGRITY_NOXATTRS;
+		if (rc != -ENODATA)
+			evm_status = evm_immutable ?
+				     INTEGRITY_FAIL_IMMUTABLE : INTEGRITY_FAIL;
+	}
 out:
 	if (iint)
 		iint->evm_status = evm_status;
@@ -362,6 +368,14 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
 	if (evm_status == INTEGRITY_NOLABEL &&
 	    !(evm_initialized & EVM_INIT_HMAC))
 		return 0;
+
+	/*
+	 * Writing other xattrs is safe for portable signatures, as portable
+	 * signatures are immutable and can never be updated.
+	 */
+	if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
+		return 0;
+
 	if (evm_status != INTEGRITY_PASS)
 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 				    dentry->d_name.name, "appraise_metadata",
@@ -526,12 +540,17 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 	 * Ignoring INTEGRITY_NOLABEL is safe if no HMAC key is loaded, as
 	 * EVM won't calculate the HMAC of metadata that wasn't previously
 	 * verified.
+	 *
+	 * Writing attrs is safe for portable signatures, as portable signatures
+	 * are immutable and can never be updated.
 	 */
 	if ((evm_status == INTEGRITY_PASS) ||
 	    (evm_status == INTEGRITY_NOXATTRS) ||
+	    (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
 	    (evm_status == INTEGRITY_NOLABEL &&
 	     !(evm_initialized & EVM_INIT_HMAC)))
 		return 0;
+
 	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 			    dentry->d_name.name, "appraise_metadata",
 			    integrity_status_msg[evm_status], -EPERM, 0);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 7b13ba543873..57a252f8c724 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -415,6 +415,8 @@ int ima_appraise_measurement(enum ima_hooks func,
 	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */
 		cause = "missing-HMAC";
 		goto out;
+	case INTEGRITY_FAIL_IMMUTABLE:
+		fallthrough;
 	case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */
 		cause = "invalid-HMAC";
 		goto out;
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
                   ` (6 preceding siblings ...)
  2020-11-11  9:22 ` [PATCH v3 07/11] evm: Allow xattr/attr operations for portable signatures Roberto Sassu
@ 2020-11-11  9:22 ` Roberto Sassu
  2020-11-18 17:58   ` kernel test robot
  2020-11-11  9:23 ` [PATCH v3 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures Roberto Sassu
                   ` (3 subsequent siblings)
  11 siblings, 1 reply; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:22 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

With the patch to allow xattr/attr operations if a portable signature
verification fails, cp and tar can copy all xattrs/attrs so that at the
end of the process verification succeeds.

However, it might happen that the xattrs/attrs are already set to the
correct value (taken at signing time) and signature verification succeeds
before the copy has completed. For example, an archive might contains files
owned by root and the archive is extracted by root.

Then, since portable signatures are immutable, all subsequent operations
fail (e.g. fchown()), even if the operation is legitimate (does not alter
the current value).

This patch avoids this problem by reporting successful operation to user
space when that operation does not alter the current value of xattrs/attrs.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/evm/evm_main.c | 94 +++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 60ab700735ea..1b2eea30e11e 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -18,6 +18,7 @@
 #include <linux/integrity.h>
 #include <linux/evm.h>
 #include <linux/magic.h>
+#include <linux/posix_acl_xattr.h>
 
 #include <crypto/hash.h>
 #include <crypto/hash_info.h>
@@ -310,6 +311,78 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
 	return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
 }
 
+/*
+ * evm_xattr_acl_change - check if passed ACL changes the inode mode
+ * @dentry: pointer to the affected dentry
+ * @xattr_name: requested xattr
+ * @xattr_value: requested xattr value
+ * @xattr_value_len: requested xattr value length
+ *
+ * Check if passed ACL changes the inode mode, which is protected by EVM.
+ *
+ * Returns 1 if passed ACL causes inode mode change, 0 otherwise.
+ */
+static int evm_xattr_acl_change(struct dentry *dentry, const char *xattr_name,
+				const void *xattr_value, size_t xattr_value_len)
+{
+	umode_t mode;
+	struct posix_acl *acl = NULL, *acl_res;
+	struct inode *inode = d_backing_inode(dentry);
+	int rc;
+
+	/* UID/GID in ACL have been already converted from user to init ns */
+	acl = posix_acl_from_xattr(&init_user_ns, xattr_value, xattr_value_len);
+	if (!acl)
+		return 1;
+
+	acl_res = acl;
+	rc = posix_acl_update_mode(inode, &mode, &acl_res);
+
+	posix_acl_release(acl);
+
+	if (rc)
+		return 1;
+
+	if (acl_res && inode->i_mode != mode)
+		return 1;
+
+	return 0;
+}
+
+/*
+ * evm_xattr_change - check if passed xattr value differs from current value
+ * @dentry: pointer to the affected dentry
+ * @xattr_name: requested xattr
+ * @xattr_value: requested xattr value
+ * @xattr_value_len: requested xattr value length
+ *
+ * Check if passed xattr value differs from current value.
+ *
+ * Returns 1 if passed xattr value differs from current value, 0 otherwise.
+ */
+static int evm_xattr_change(struct dentry *dentry, const char *xattr_name,
+			    const void *xattr_value, size_t xattr_value_len)
+{
+	char *xattr_data = NULL;
+	int rc = 0;
+
+	if (posix_xattr_acl(xattr_name))
+		return evm_xattr_acl_change(dentry, xattr_name, xattr_value,
+					    xattr_value_len);
+
+	rc = vfs_getxattr_alloc(dentry, xattr_name, &xattr_data, 0, GFP_NOFS);
+	if (rc < 0)
+		return 1;
+
+	if (rc == xattr_value_len)
+		rc = memcmp(xattr_value, xattr_data, rc);
+	else
+		rc = 1;
+
+	kfree(xattr_data);
+	return rc;
+}
+
 /*
  * evm_protect_xattr - protect the EVM extended attribute
  *
@@ -376,6 +449,10 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
 	if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
 		return 0;
 
+	if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
+	    !evm_xattr_change(dentry, xattr_name, xattr_value, xattr_value_len))
+		return 0;
+
 	if (evm_status != INTEGRITY_PASS)
 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 				    dentry->d_name.name, "appraise_metadata",
@@ -515,6 +592,19 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 	evm_update_evmxattr(dentry, xattr_name, NULL, 0);
 }
 
+static int evm_attr_change(struct dentry *dentry, struct iattr *attr)
+{
+	struct inode *inode = d_backing_inode(dentry);
+	unsigned int ia_valid = attr->ia_valid;
+
+	if ((!(ia_valid & ATTR_UID) || uid_eq(attr->ia_uid, inode->i_uid)) &&
+	    (!(ia_valid & ATTR_GID) || gid_eq(attr->ia_gid, inode->i_gid)) &&
+	    (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode))
+		return 0;
+
+	return 1;
+}
+
 /**
  * evm_inode_setattr - prevent updating an invalid EVM extended attribute
  * @dentry: pointer to the affected dentry
@@ -551,6 +641,10 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 	     !(evm_initialized & EVM_INIT_HMAC)))
 		return 0;
 
+	if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
+	    !evm_attr_change(dentry, attr))
+		return 0;
+
 	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 			    dentry->d_name.name, "appraise_metadata",
 			    integrity_status_msg[evm_status], -EPERM, 0);
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
                   ` (7 preceding siblings ...)
  2020-11-11  9:22 ` [PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata Roberto Sassu
@ 2020-11-11  9:23 ` Roberto Sassu
  2020-11-11  9:23 ` [PATCH v3 10/11] ima: Introduce template field evmsig and write to field sig as fallback Roberto Sassu
                   ` (2 subsequent siblings)
  11 siblings, 0 replies; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:23 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

System administrators can require that all accessed files have a signature
by specifying appraise_type=imasig in a policy rule.

Currently, IMA signatures satisfy this requirement. Appended signatures may
also satisfy this requirement, but are not applicable as IMA signatures.
IMA/appended signatures ensure data source authentication for file content
and prevent any change. EVM signatures instead ensure data source
authentication for file metadata. Given that the digest or signature of the
file content must be included in the metadata, EVM signatures provide the
same file data guarantees of IMA signatures, as well as providing file
metadata guarantees.

This patch lets systems protected with EVM signatures pass appraisal
verification if the appraise_type=imasig requirement is specified in the
policy. This facilitates deployment in the scenarios where only EVM
signatures are available.

The patch makes the following changes:

file xattr types:
security.ima: IMA_XATTR_DIGEST/IMA_XATTR_DIGEST_NG
security.evm: EVM_XATTR_PORTABLE_DIGSIG

execve(), mmap(), open() behavior (with appraise_type=imasig):
before: denied (file without IMA signature, imasig requirement not met)
after: allowed (file with EVM portable signature, imasig requirement met)

open(O_WRONLY) behavior (without appraise_type=imasig):
before: allowed (file without IMA signature, not immutable)
after: denied (file with EVM portable signature, immutable)

In addition, similarly to IMA signatures, this patch temporarily allows
new files without or with incomplete metadata to be opened so that content
can be written.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/ima_appraise.c | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 57a252f8c724..00b038941a10 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -241,12 +241,16 @@ static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
 		hash_start = 1;
 		fallthrough;
 	case IMA_XATTR_DIGEST:
-		if (iint->flags & IMA_DIGSIG_REQUIRED) {
-			*cause = "IMA-signature-required";
-			*status = INTEGRITY_FAIL;
-			break;
+		if (*status != INTEGRITY_PASS_IMMUTABLE) {
+			if (iint->flags & IMA_DIGSIG_REQUIRED) {
+				*cause = "IMA-signature-required";
+				*status = INTEGRITY_FAIL;
+				break;
+			}
+			clear_bit(IMA_DIGSIG, &iint->atomic_flags);
+		} else {
+			set_bit(IMA_DIGSIG, &iint->atomic_flags);
 		}
-		clear_bit(IMA_DIGSIG, &iint->atomic_flags);
 		if (xattr_len - sizeof(xattr_value->type) - hash_start >=
 				iint->ima_hash->length)
 			/*
@@ -416,6 +420,7 @@ int ima_appraise_measurement(enum ima_hooks func,
 		cause = "missing-HMAC";
 		goto out;
 	case INTEGRITY_FAIL_IMMUTABLE:
+		set_bit(IMA_DIGSIG, &iint->atomic_flags);
 		fallthrough;
 	case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */
 		cause = "invalid-HMAC";
@@ -460,9 +465,12 @@ int ima_appraise_measurement(enum ima_hooks func,
 				status = INTEGRITY_PASS;
 		}
 
-		/* Permit new files with file signatures, but without data. */
+		/*
+		 * Permit new files with file/EVM portable signatures, but
+		 * without data.
+		 */
 		if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
-		    xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
+		    test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
 			status = INTEGRITY_PASS;
 		}
 
@@ -592,6 +600,8 @@ void ima_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 				   xattr_value_len);
 	if (result == 1)
 		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
+	if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0)
+		digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
 	if (result == 1 || evm_status_revalidate(xattr_name))
 		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
 }
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 10/11] ima: Introduce template field evmsig and write to field sig as fallback
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
                   ` (8 preceding siblings ...)
  2020-11-11  9:23 ` [PATCH v3 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures Roberto Sassu
@ 2020-11-11  9:23 ` Roberto Sassu
  2020-11-11  9:23 ` [PATCH v3 11/11] ima: Don't remove security.ima if file must not be appraised Roberto Sassu
  2020-12-01 20:52 ` [PATCH v3 00/11] evm: Improve usability of portable signatures Mimi Zohar
  11 siblings, 0 replies; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:23 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

With the patch to accept EVM portable signatures when the
appraise_type=imasig requirement is specified in the policy, appraisal can
be successfully done even if the file does not have an IMA signature.

However, remote attestation would not see that a different signature type
was used, as only IMA signatures can be included in the measurement list.
This patch solves the issue by introducing the new template field 'evmsig'
to show EVM portable signatures and by including its value in the existing
field 'sig' if the IMA signature is not found.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
---
 Documentation/security/IMA-templates.rst  |  4 ++-
 security/integrity/ima/ima_template.c     |  2 ++
 security/integrity/ima/ima_template_lib.c | 32 ++++++++++++++++++++++-
 security/integrity/ima/ima_template_lib.h |  2 ++
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
index c5a8432972ef..9f3e86ab028a 100644
--- a/Documentation/security/IMA-templates.rst
+++ b/Documentation/security/IMA-templates.rst
@@ -70,9 +70,11 @@ descriptors by adding their identifier to the format string
    prefix is shown only if the hash algorithm is not SHA1 or MD5);
  - 'd-modsig': the digest of the event without the appended modsig;
  - 'n-ng': the name of the event, without size limitations;
- - 'sig': the file signature;
+ - 'sig': the file signature, or the EVM portable signature if the file
+   signature is not found;
  - 'modsig' the appended file signature;
  - 'buf': the buffer data that was used to generate the hash without size limitations;
+ - 'evmsig': the EVM portable signature;
 
 
 Below, there is the list of defined template descriptors:
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index 1e89e2d3851f..02afc4116606 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -45,6 +45,8 @@ static const struct ima_template_field supported_fields[] = {
 	 .field_show = ima_show_template_digest_ng},
 	{.field_id = "modsig", .field_init = ima_eventmodsig_init,
 	 .field_show = ima_show_template_sig},
+	{.field_id = "evmsig", .field_init = ima_eventevmsig_init,
+	 .field_show = ima_show_template_sig},
 };
 
 /*
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index c022ee9e2a4e..90040fac150b 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -10,6 +10,7 @@
  */
 
 #include "ima_template_lib.h"
+#include <linux/xattr.h>
 
 static bool ima_template_hash_algo_allowed(u8 algo)
 {
@@ -438,7 +439,7 @@ int ima_eventsig_init(struct ima_event_data *event_data,
 	struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
 
 	if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
-		return 0;
+		return ima_eventevmsig_init(event_data, field_data);
 
 	return ima_write_template_field_data(xattr_value, event_data->xattr_len,
 					     DATA_FMT_HEX, field_data);
@@ -484,3 +485,32 @@ int ima_eventmodsig_init(struct ima_event_data *event_data,
 	return ima_write_template_field_data(data, data_len, DATA_FMT_HEX,
 					     field_data);
 }
+
+/*
+ *  ima_eventevmsig_init - include the EVM portable signature as part of the
+ *  template data
+ */
+int ima_eventevmsig_init(struct ima_event_data *event_data,
+			 struct ima_field_data *field_data)
+{
+	struct evm_ima_xattr_data *xattr_data = NULL;
+	int rc = 0;
+
+	if (!event_data->file)
+		return 0;
+
+	rc = vfs_getxattr_alloc(file_dentry(event_data->file), XATTR_NAME_EVM,
+				(char **)&xattr_data, 0, GFP_NOFS);
+	if (rc <= 0)
+		return 0;
+
+	if (xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) {
+		kfree(xattr_data);
+		return 0;
+	}
+
+	rc = ima_write_template_field_data((char *)xattr_data, rc, DATA_FMT_HEX,
+					   field_data);
+	kfree(xattr_data);
+	return rc;
+}
diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
index 6b3b880637a0..f4b2a2056d1d 100644
--- a/security/integrity/ima/ima_template_lib.h
+++ b/security/integrity/ima/ima_template_lib.h
@@ -46,4 +46,6 @@ int ima_eventbuf_init(struct ima_event_data *event_data,
 		      struct ima_field_data *field_data);
 int ima_eventmodsig_init(struct ima_event_data *event_data,
 			 struct ima_field_data *field_data);
+int ima_eventevmsig_init(struct ima_event_data *event_data,
+			 struct ima_field_data *field_data);
 #endif /* __LINUX_IMA_TEMPLATE_LIB_H */
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH v3 11/11] ima: Don't remove security.ima if file must not be appraised
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
                   ` (9 preceding siblings ...)
  2020-11-11  9:23 ` [PATCH v3 10/11] ima: Introduce template field evmsig and write to field sig as fallback Roberto Sassu
@ 2020-11-11  9:23 ` Roberto Sassu
  2020-12-01 20:52 ` [PATCH v3 00/11] evm: Improve usability of portable signatures Mimi Zohar
  11 siblings, 0 replies; 24+ messages in thread
From: Roberto Sassu @ 2020-11-11  9:23 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, Roberto Sassu

Files might come from a remote source and might have xattrs, including
security.ima. It should not be IMA task to decide whether security.ima
should be kept or not. This patch removes the removexattr() system
call in ima_inode_post_setattr().

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/ima_appraise.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 00b038941a10..f03cb4b7270d 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -529,8 +529,6 @@ void ima_inode_post_setattr(struct dentry *dentry)
 		return;
 
 	action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
-	if (!action)
-		__vfs_removexattr(dentry, XATTR_NAME_IMA);
 	iint = integrity_iint_find(inode);
 	if (iint) {
 		set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
-- 
2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata
  2020-11-11  9:22 ` [PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata Roberto Sassu
@ 2020-11-18 17:58   ` kernel test robot
  0 siblings, 0 replies; 24+ messages in thread
From: kernel test robot @ 2020-11-18 17:58 UTC (permalink / raw)
  To: Roberto Sassu, zohar, mjg59
  Cc: kbuild-all, linux-integrity, linux-security-module,
	linux-fsdevel, linux-kernel, silviu.vlasceanu, Roberto Sassu

[-- Attachment #1: Type: text/plain, Size: 3395 bytes --]

Hi Roberto,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on integrity/next-integrity]
[also build test ERROR on linus/master v5.10-rc4 next-20201118]
[cannot apply to security/next-testing]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Roberto-Sassu/evm-Improve-usability-of-portable-signatures/20201111-172839
base:   https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
config: h8300-randconfig-r023-20201118 (attached as .config)
compiler: h8300-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/980f241069945bb56197027fd204689af8ec07e5
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Roberto-Sassu/evm-Improve-usability-of-portable-signatures/20201111-172839
        git checkout 980f241069945bb56197027fd204689af8ec07e5
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=h8300 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   security/integrity/evm/evm_main.c: In function 'evm_xattr_acl_change':
>> security/integrity/evm/evm_main.c:339:7: error: implicit declaration of function 'posix_acl_update_mode'; did you mean 'posix_acl_equiv_mode'? [-Werror=implicit-function-declaration]
     339 |  rc = posix_acl_update_mode(inode, &mode, &acl_res);
         |       ^~~~~~~~~~~~~~~~~~~~~
         |       posix_acl_equiv_mode
   cc1: some warnings being treated as errors

vim +339 security/integrity/evm/evm_main.c

   313	
   314	/*
   315	 * evm_xattr_acl_change - check if passed ACL changes the inode mode
   316	 * @dentry: pointer to the affected dentry
   317	 * @xattr_name: requested xattr
   318	 * @xattr_value: requested xattr value
   319	 * @xattr_value_len: requested xattr value length
   320	 *
   321	 * Check if passed ACL changes the inode mode, which is protected by EVM.
   322	 *
   323	 * Returns 1 if passed ACL causes inode mode change, 0 otherwise.
   324	 */
   325	static int evm_xattr_acl_change(struct dentry *dentry, const char *xattr_name,
   326					const void *xattr_value, size_t xattr_value_len)
   327	{
   328		umode_t mode;
   329		struct posix_acl *acl = NULL, *acl_res;
   330		struct inode *inode = d_backing_inode(dentry);
   331		int rc;
   332	
   333		/* UID/GID in ACL have been already converted from user to init ns */
   334		acl = posix_acl_from_xattr(&init_user_ns, xattr_value, xattr_value_len);
   335		if (!acl)
   336			return 1;
   337	
   338		acl_res = acl;
 > 339		rc = posix_acl_update_mode(inode, &mode, &acl_res);
   340	
   341		posix_acl_release(acl);
   342	
   343		if (rc)
   344			return 1;
   345	
   346		if (acl_res && inode->i_mode != mode)
   347			return 1;
   348	
   349		return 0;
   350	}
   351	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 29165 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH v3 00/11] evm: Improve usability of portable signatures
  2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
                   ` (10 preceding siblings ...)
  2020-11-11  9:23 ` [PATCH v3 11/11] ima: Don't remove security.ima if file must not be appraised Roberto Sassu
@ 2020-12-01 20:52 ` Mimi Zohar
  11 siblings, 0 replies; 24+ messages in thread
From: Mimi Zohar @ 2020-12-01 20:52 UTC (permalink / raw)
  To: Roberto Sassu, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu

Hi Roberto,

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> EVM portable signatures are particularly suitable for the protection of
> metadata of immutable files where metadata is signed by a software vendor.
> They can be used for example in conjunction with an IMA policy that
> appraises only executed and memory mapped files.

The existing "appraise_tcb" builtin policy verify all root owned files.
Defining a new builtin policy to verify only executed and memory
mmapped files would make a nice addition and would probably simplify
testing.

> 
> However, some usability issues are still unsolved, especially when EVM is
> used without loading an HMAC key. This patch set attempts to fix the open
> issues.

We need regression tests for each of these changes.

To prevent affecting the running system, the appraise policy rules
could be limited to a loopback mounted filesystem. 

> 
> Patch 1 allows EVM to be used without loading an HMAC key. Patch 2 avoids
> appraisal verification of public keys (they are already verified by the key
> subsystem).

Loading the EVM key(s) occurs early, either the builtin x509 EVM key or
during the initramfs, makes testing difficult.  Based on
security/evm/evm, different tests could be defined for when only x509
keys, only HMAC key, or both EVM key types are loaded.

> 
> Patches 3-5 allow metadata verification to be turned off when no HMAC key
> is loaded and to use this mode in a safe way (by ensuring that IMA
> revalidates metadata when there is a change).
> 
> Patches 6-8 make portable signatures more usable if metadata verification
> is not turned off, by ignoring the INTEGRITY_NOLABEL error when no HMAC key
> is loaded, by accepting any metadata modification until signature
> verification succeeds (useful when xattrs/attrs are copied sequentially
> from a source) and by allowing operations that don't change metadata.
> 
> Patch 9 makes it possible to use portable signatures when the IMA policy
> requires file signatures and patch 10 shows portable signatures in the
> measurement list when the ima-sig template is selected.

ima-evm-utils needs to be updated to support EVM portable & immutable
signatures.

> 
> Lastly, patch 11 avoids undesired removal of security.ima when a file is
> not selected by the IMA policy.

thanks,

Mimi


^ permalink raw reply	[flat|nested] 24+ messages in thread

* RE: [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks
  2020-11-11  9:22 ` [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks Roberto Sassu
@ 2020-12-02 11:56   ` Roberto Sassu
  2020-12-03 20:43     ` Mimi Zohar
  0 siblings, 1 reply; 24+ messages in thread
From: Roberto Sassu @ 2020-12-02 11:56 UTC (permalink / raw)
  To: zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, Silviu Vlasceanu

> From: Roberto Sassu
> Sent: Wednesday, November 11, 2020 10:23 AM
> ima_inode_setxattr() and ima_inode_removexattr() hooks are called
> before an
> operation is performed. Thus, ima_reset_appraise_flags() should not be
> called there, as flags might be unnecessarily reset if the operation is
> denied.
> 
> This patch introduces the post hooks ima_inode_post_setxattr() and
> ima_inode_post_removexattr(), removes ima_inode_removexattr() and
> adds the
> call to ima_reset_appraise_flags() in the new functions.

Removing ima_inode_removexattr() is not correct. We should still prevent
that security.ima is removed when CAP_SYS_ADMIN is not set. I will fix
this in the next version.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>  fs/xattr.c                            |  2 ++
>  include/linux/ima.h                   | 19 +++++++++++++++----
>  security/integrity/ima/ima_appraise.c | 22 +++++++++++++++-------
>  security/security.c                   |  4 +---
>  4 files changed, 33 insertions(+), 14 deletions(-)
> 
> diff --git a/fs/xattr.c b/fs/xattr.c
> index cd7a563e8bcd..149b8cf5f99f 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -16,6 +16,7 @@
>  #include <linux/namei.h>
>  #include <linux/security.h>
>  #include <linux/evm.h>
> +#include <linux/ima.h>
>  #include <linux/syscalls.h>
>  #include <linux/export.h>
>  #include <linux/fsnotify.h>
> @@ -474,6 +475,7 @@ __vfs_removexattr_locked(struct dentry *dentry,
> const char *name,
> 
>  	if (!error) {
>  		fsnotify_xattr(dentry);
> +		ima_inode_post_removexattr(dentry, name);
>  		evm_inode_post_removexattr(dentry, name);
>  	}
> 
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index ac3d82f962f2..19a775fa2ba5 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -150,7 +150,12 @@ extern bool is_ima_appraise_enabled(void);
>  extern void ima_inode_post_setattr(struct dentry *dentry);
>  extern int ima_inode_setxattr(struct dentry *dentry, const char
> *xattr_name,
>  		       const void *xattr_value, size_t xattr_value_len);
> -extern int ima_inode_removexattr(struct dentry *dentry, const char
> *xattr_name);
> +extern void ima_inode_post_setxattr(struct dentry *dentry,
> +				    const char *xattr_name,
> +				    const void *xattr_value,
> +				    size_t xattr_value_len);
> +extern void ima_inode_post_removexattr(struct dentry *dentry,
> +				       const char *xattr_name);
>  #else
>  static inline bool is_ima_appraise_enabled(void)
>  {
> @@ -170,10 +175,16 @@ static inline int ima_inode_setxattr(struct dentry
> *dentry,
>  	return 0;
>  }
> 
> -static inline int ima_inode_removexattr(struct dentry *dentry,
> -					const char *xattr_name)
> +static inline void ima_inode_post_setxattr(struct dentry *dentry,
> +					   const char *xattr_name,
> +					   const void *xattr_value,
> +					   size_t xattr_value_len)
> +{
> +}
> +
> +static inline void ima_inode_post_removexattr(struct dentry *dentry,
> +					      const char *xattr_name)
>  {
> -	return 0;
>  }
>  #endif /* CONFIG_IMA_APPRAISE */
> 
> diff --git a/security/integrity/ima/ima_appraise.c
> b/security/integrity/ima/ima_appraise.c
> index 8361941ee0a1..77c01f50425e 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -574,21 +574,29 @@ int ima_inode_setxattr(struct dentry *dentry,
> const char *xattr_name,
>  	if (result == 1) {
>  		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
>  			return -EINVAL;
> -		ima_reset_appraise_flags(d_backing_inode(dentry),
> -			xvalue->type == EVM_IMA_XATTR_DIGSIG);
>  		result = 0;
>  	}
>  	return result;
>  }
> 
> -int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
> +void ima_inode_post_setxattr(struct dentry *dentry, const char
> *xattr_name,
> +			     const void *xattr_value, size_t xattr_value_len)
> +{
> +	const struct evm_ima_xattr_data *xvalue = xattr_value;
> +	int result;
> +
> +	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
> +				   xattr_value_len);
> +	if (result == 1)
> +		ima_reset_appraise_flags(d_backing_inode(dentry),
> +			xvalue->type == EVM_IMA_XATTR_DIGSIG);
> +}
> +
> +void ima_inode_post_removexattr(struct dentry *dentry, const char
> *xattr_name)
>  {
>  	int result;
> 
>  	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
> -	if (result == 1) {
> +	if (result == 1)
>  		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
> -		result = 0;
> -	}
> -	return result;
>  }
> diff --git a/security/security.c b/security/security.c
> index a28045dc9e7f..fc43f45938b4 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1309,6 +1309,7 @@ void security_inode_post_setxattr(struct dentry
> *dentry, const char *name,
>  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
>  		return;
>  	call_void_hook(inode_post_setxattr, dentry, name, value, size,
> flags);
> +	ima_inode_post_setxattr(dentry, name, value, size);
>  	evm_inode_post_setxattr(dentry, name, value, size);
>  }
> 
> @@ -1339,9 +1340,6 @@ int security_inode_removexattr(struct dentry
> *dentry, const char *name)
>  	ret = call_int_hook(inode_removexattr, 1, dentry, name);
>  	if (ret == 1)
>  		ret = cap_inode_removexattr(dentry, name);
> -	if (ret)
> -		return ret;
> -	ret = ima_inode_removexattr(dentry, name);
>  	if (ret)
>  		return ret;
>  	return evm_inode_removexattr(dentry, name);
> --
> 2.27.GIT


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded
  2020-11-11  9:22 ` [PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Roberto Sassu
@ 2020-12-02 17:03   ` Mimi Zohar
  0 siblings, 0 replies; 24+ messages in thread
From: Mimi Zohar @ 2020-12-02 17:03 UTC (permalink / raw)
  To: Roberto Sassu, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, stable

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> evm_inode_init_security() requires an HMAC key to calculate the HMAC on
> initial xattrs provided by LSMs. However, it checks generically whether a
> key has been loaded, including also public keys, which is not correct as
> public keys are not suitable to calculate the HMAC.
> 
> Originally, support for signature verification was introduced to verify a
> possibly immutable initial ram disk, when no new files are created, and to
> switch to HMAC for the root filesystem. By that time, an HMAC key should
> have been loaded and usable to calculate HMACs for new files.
> 
> More recently support for requiring an HMAC key was removed from the
> kernel, so that signature verification can be used alone. Since this is a
> legitimate use case, evm_inode_init_security() should not return an error
> when no HMAC key has been loaded.
> 
> This patch fixes this problem by replacing the evm_key_loaded() check with
> a check of the EVM_INIT_HMAC flag in evm_initialized.
> 
> Cc: stable@vger.kernel.org # 4.5.x
> Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded")
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  security/integrity/evm/evm_main.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 76d19146d74b..001e001eae01 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -530,7 +530,8 @@ int evm_inode_init_security(struct inode *inode,
>  	struct evm_xattr *xattr_data;
>  	int rc;
>  
> -	if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
> +	if (!(evm_initialized & EVM_INIT_HMAC) ||
> +	    !evm_protected_xattr(lsm_xattr->name))
>  		return 0;
>  
>  	xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);

Let's update the function description to make it explicit.  Something
like: "evm_inode_init_security - initializes security.evm HMAC value"

Mimi




^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal
  2020-11-11  9:22 ` [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
@ 2020-12-02 17:27   ` Mimi Zohar
  2021-03-01 18:06   ` Mimi Zohar
  1 sibling, 0 replies; 24+ messages in thread
From: Mimi Zohar @ 2020-12-02 17:27 UTC (permalink / raw)
  To: Roberto Sassu, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> Public keys do not need to be appraised by IMA as the restriction on the
> IMA/EVM keyrings ensures that a key can be loaded only if it is signed with
> a key in the primary or secondary keyring.

Let's clean this up a bit.
- The public builtin keys ...
- IMA/EVM trusted keyrings ...
- on the builtin or secondary keyrings

> However, when evm_load_x509() is called, appraisal is already enabled and
> a valid IMA signature must be added to the EVM key to pass verification.
> 
> Since the restriction is applied on both IMA and EVM keyrings, it is safe

and update:
- IMA and EVM trusted keyrings 

> to disable appraisal also when the EVM key is loaded. This patch calls
> evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is defined.

, which crosses the normal IMA and EVM boundary,

thanks,

Mimi


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
  2020-11-11  9:22 ` [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded Roberto Sassu
@ 2020-12-02 21:07   ` Mimi Zohar
  0 siblings, 0 replies; 24+ messages in thread
From: Mimi Zohar @ 2020-12-02 21:07 UTC (permalink / raw)
  To: Roberto Sassu, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu, stable

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to
> temporarily disable metadata verification until all xattrs/attrs necessary
> to verify an EVM portable signature are copied to the file. This flag is
> cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is
> calculated on unverified xattrs/attrs.
> 
> Currently EVM unnecessarily denies setting this flag if EVM is initialized
> with a public key, which is not a concern as it cannot be used to trust
> xattrs/attrs updates. This patch removes this limitation.
> 
> Cc: stable@vger.kernel.org # 4.16.x
> Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata")
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>  Documentation/ABI/testing/evm      | 5 +++--
>  security/integrity/evm/evm_secfs.c | 2 +-
>  2 files changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
> index 3c477ba48a31..eb6d70fd6fa2 100644
> --- a/Documentation/ABI/testing/evm
> +++ b/Documentation/ABI/testing/evm
> @@ -49,8 +49,9 @@ Description:
>  		modification of EVM-protected metadata and
>  		disable all further modification of policy
>  
> -		Note that once a key has been loaded, it will no longer be
> -		possible to enable metadata modification.
> +		Note that once an HMAC key has been loaded, it will no longer
> +		be possible to enable metadata modification and, if it is
> +		already enabled, it will be disabled.
>  
>  		Until key loading has been signaled EVM can not create
>  		or validate the 'security.evm' xattr, but returns
> diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
> index cfc3075769bb..92fe26ace797 100644
> --- a/security/integrity/evm/evm_secfs.c
> +++ b/security/integrity/evm/evm_secfs.c
> @@ -84,7 +84,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
>  	 * keys are loaded.
>  	 */
>  	if ((i & EVM_ALLOW_METADATA_WRITES) &&
> -	    ((evm_initialized & EVM_KEY_MASK) != 0) &&
> +	    ((evm_initialized & EVM_INIT_HMAC) != 0) &&
>  	    !(evm_initialized & EVM_ALLOW_METADATA_WRITES))
>  		return -EPERM;
>  

If an HMAC key is loaded EVM_ALLOW_METADATA_WRITES should already be
disabled.  Testing EVM_ALLOW_METADATA_WRITES shouldn't be needed. 
Please update the comment: "Don't allow a request to freshly enable
metadata writes if keys are loaded."

thanks,

Mimi


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded
  2020-11-11  9:22 ` [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded Roberto Sassu
@ 2020-12-03 20:42   ` Mimi Zohar
  2020-12-04  8:05     ` Roberto Sassu
  0 siblings, 1 reply; 24+ messages in thread
From: Mimi Zohar @ 2020-12-03 20:42 UTC (permalink / raw)
  To: Roberto Sassu, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu

Hi Roberto,

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> When a file is being created, LSMs can set the initial label with the
> inode_init_security hook. If no HMAC key is loaded, the new file will have
> LSM xattrs but not the HMAC.
> 
> Unfortunately, EVM will deny any further metadata operation on new files,
> as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error. This
> would limit the usability of EVM when only a public key is loaded, as
> commands such as cp or tar with the option to preserve xattrs won't work.
> 
> Ignoring this error won't be an issue if no HMAC key is loaded, as the
> inode is locked until the post hook, and EVM won't calculate the HMAC on
> metadata that wasn't previously verified. Thus this patch checks if an
> HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.

I'm not sure what problem this patch is trying to solve. 
evm_protect_xattr() is only called by evm_inode_setxattr() and
evm_inode_removexattr(), which first checks whether
EVM_ALLOW_METADATA_WRITES is enabled.

Mimi


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks
  2020-12-02 11:56   ` Roberto Sassu
@ 2020-12-03 20:43     ` Mimi Zohar
  0 siblings, 0 replies; 24+ messages in thread
From: Mimi Zohar @ 2020-12-03 20:43 UTC (permalink / raw)
  To: Roberto Sassu, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, Silviu Vlasceanu

On Wed, 2020-12-02 at 11:56 +0000, Roberto Sassu wrote:
> > From: Roberto Sassu
> > Sent: Wednesday, November 11, 2020 10:23 AM
> > ima_inode_setxattr() and ima_inode_removexattr() hooks are called
> > before an
> > operation is performed. Thus, ima_reset_appraise_flags() should not be
> > called there, as flags might be unnecessarily reset if the operation is
> > denied.
> > 
> > This patch introduces the post hooks ima_inode_post_setxattr() and
> > ima_inode_post_removexattr(), removes ima_inode_removexattr() and
> > adds the
> > call to ima_reset_appraise_flags() in the new functions.
> 
> Removing ima_inode_removexattr() is not correct. We should still prevent
> that security.ima is removed when CAP_SYS_ADMIN is not set. I will fix
> this in the next version.

Ok.  So this patch will define the post hooks and defer
ima_reset_appraise_flags() to them, leaving the original hooks intact.

Mimi


^ permalink raw reply	[flat|nested] 24+ messages in thread

* RE: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded
  2020-12-03 20:42   ` Mimi Zohar
@ 2020-12-04  8:05     ` Roberto Sassu
  2020-12-04 13:04       ` Mimi Zohar
  0 siblings, 1 reply; 24+ messages in thread
From: Roberto Sassu @ 2020-12-04  8:05 UTC (permalink / raw)
  To: Mimi Zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, Silviu Vlasceanu

> From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> Sent: Thursday, December 3, 2020 9:43 PM
> Hi Roberto,
> 
> On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> > When a file is being created, LSMs can set the initial label with the
> > inode_init_security hook. If no HMAC key is loaded, the new file will have
> > LSM xattrs but not the HMAC.
> >
> > Unfortunately, EVM will deny any further metadata operation on new
> files,
> > as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error.
> This
> > would limit the usability of EVM when only a public key is loaded, as
> > commands such as cp or tar with the option to preserve xattrs won't work.
> >
> > Ignoring this error won't be an issue if no HMAC key is loaded, as the
> > inode is locked until the post hook, and EVM won't calculate the HMAC on
> > metadata that wasn't previously verified. Thus this patch checks if an
> > HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.
> 
> I'm not sure what problem this patch is trying to solve.
> evm_protect_xattr() is only called by evm_inode_setxattr() and
> evm_inode_removexattr(), which first checks whether
> EVM_ALLOW_METADATA_WRITES is enabled.

The idea is to also support EVM verification when only a public key
is loaded. An advantage to do that is that for example we can prevent
accidental metadata changes when the signature is portable.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded
  2020-12-04  8:05     ` Roberto Sassu
@ 2020-12-04 13:04       ` Mimi Zohar
  2020-12-04 14:59         ` Roberto Sassu
  0 siblings, 1 reply; 24+ messages in thread
From: Mimi Zohar @ 2020-12-04 13:04 UTC (permalink / raw)
  To: Roberto Sassu, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, Silviu Vlasceanu

On Fri, 2020-12-04 at 08:05 +0000, Roberto Sassu wrote:
> > From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> > Sent: Thursday, December 3, 2020 9:43 PM
> > Hi Roberto,
> > 
> > On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> > > When a file is being created, LSMs can set the initial label with the
> > > inode_init_security hook. If no HMAC key is loaded, the new file will have
> > > LSM xattrs but not the HMAC.
> > >
> > > Unfortunately, EVM will deny any further metadata operation on new
> > files,
> > > as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error.
> > This
> > > would limit the usability of EVM when only a public key is loaded, as
> > > commands such as cp or tar with the option to preserve xattrs won't work.
> > >
> > > Ignoring this error won't be an issue if no HMAC key is loaded, as the
> > > inode is locked until the post hook, and EVM won't calculate the HMAC on
> > > metadata that wasn't previously verified. Thus this patch checks if an
> > > HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.
> > 
> > I'm not sure what problem this patch is trying to solve.
> > evm_protect_xattr() is only called by evm_inode_setxattr() and
> > evm_inode_removexattr(), which first checks whether
> > EVM_ALLOW_METADATA_WRITES is enabled.
> 
> The idea is to also support EVM verification when only a public key
> is loaded. An advantage to do that is that for example we can prevent
> accidental metadata changes when the signature is portable.

Right, there are a couple of  scenarios.  Let's be more specific as to
which scenario this patch is addressing.

- a public key is loaded and EVM_ALLOW_METADATA_WRITES is enabled,
- a public key is loaded and EVM_ALLOW_METADATA_WRITES is disabled,
- an HMAC key is loaded

For the first and last case, this patch shouldn't be necessary.  Only
the second case, with EVM_ALLOW_METADATA_WRITES disabled, probably does
not work.  I would claim that is working as designed.

thanks,

Mimi


^ permalink raw reply	[flat|nested] 24+ messages in thread

* RE: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded
  2020-12-04 13:04       ` Mimi Zohar
@ 2020-12-04 14:59         ` Roberto Sassu
  0 siblings, 0 replies; 24+ messages in thread
From: Roberto Sassu @ 2020-12-04 14:59 UTC (permalink / raw)
  To: Mimi Zohar, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, Silviu Vlasceanu

> From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> Sent: Friday, December 4, 2020 2:05 PM
> On Fri, 2020-12-04 at 08:05 +0000, Roberto Sassu wrote:
> > > From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> > > Sent: Thursday, December 3, 2020 9:43 PM
> > > Hi Roberto,
> > >
> > > On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> > > > When a file is being created, LSMs can set the initial label with the
> > > > inode_init_security hook. If no HMAC key is loaded, the new file will
> have
> > > > LSM xattrs but not the HMAC.
> > > >
> > > > Unfortunately, EVM will deny any further metadata operation on new
> > > files,
> > > > as evm_protect_xattr() will always return the INTEGRITY_NOLABEL
> error.
> > > This
> > > > would limit the usability of EVM when only a public key is loaded, as
> > > > commands such as cp or tar with the option to preserve xattrs won't
> work.
> > > >
> > > > Ignoring this error won't be an issue if no HMAC key is loaded, as the
> > > > inode is locked until the post hook, and EVM won't calculate the HMAC
> on
> > > > metadata that wasn't previously verified. Thus this patch checks if an
> > > > HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.
> > >
> > > I'm not sure what problem this patch is trying to solve.
> > > evm_protect_xattr() is only called by evm_inode_setxattr() and
> > > evm_inode_removexattr(), which first checks whether
> > > EVM_ALLOW_METADATA_WRITES is enabled.
> >
> > The idea is to also support EVM verification when only a public key
> > is loaded. An advantage to do that is that for example we can prevent
> > accidental metadata changes when the signature is portable.
> 
> Right, there are a couple of  scenarios.  Let's be more specific as to
> which scenario this patch is addressing.
> 
> - a public key is loaded and EVM_ALLOW_METADATA_WRITES is enabled,
> - a public key is loaded and EVM_ALLOW_METADATA_WRITES is disabled,
> - an HMAC key is loaded
> 
> For the first and last case, this patch shouldn't be necessary.  Only
> the second case, with EVM_ALLOW_METADATA_WRITES disabled, probably
> does
> not work.  I would claim that is working as designed.

If there is no HMAC key loaded and a file is created, I think EVM should
not expect an HMAC and return an error. If we do metadata verification
only when an HMAC key is loaded, we miss a functionality that could be
useful also when only a public key is loaded.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal
  2020-11-11  9:22 ` [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
  2020-12-02 17:27   ` Mimi Zohar
@ 2021-03-01 18:06   ` Mimi Zohar
  1 sibling, 0 replies; 24+ messages in thread
From: Mimi Zohar @ 2021-03-01 18:06 UTC (permalink / raw)
  To: Roberto Sassu, mjg59
  Cc: linux-integrity, linux-security-module, linux-fsdevel,
	linux-kernel, silviu.vlasceanu

Hi Roberto,

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> Public keys do not need to be appraised by IMA as the restriction on the
> IMA/EVM keyrings ensures that a key can be loaded only if it is signed with
> a key in the primary or secondary keyring.
> 
> However, when evm_load_x509() is called, appraisal is already enabled and
> a valid IMA signature must be added to the EVM key to pass verification.
> 
> Since the restriction is applied on both IMA and EVM keyrings, it is safe
> to disable appraisal also when the EVM key is loaded. This patch calls
> evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is defined.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  security/integrity/iint.c         | 2 ++
>  security/integrity/ima/ima_init.c | 4 ++++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/security/integrity/iint.c b/security/integrity/iint.c
> index 1d20003243c3..7d08c31c612f 100644
> --- a/security/integrity/iint.c
> +++ b/security/integrity/iint.c
> @@ -200,7 +200,9 @@ int integrity_kernel_read(struct file *file, loff_t offset,
>  void __init integrity_load_keys(void)
>  {
>  	ima_load_x509();
> +#ifndef CONFIG_IMA_LOAD_X509
>  	evm_load_x509();
> +#endif

Please replace the ifdef with the IS_ENABLED() equivalent.

thanks,

Mimi


^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2021-03-01 23:55 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-11  9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
2020-11-11  9:22 ` [PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Roberto Sassu
2020-12-02 17:03   ` Mimi Zohar
2020-11-11  9:22 ` [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
2020-12-02 17:27   ` Mimi Zohar
2021-03-01 18:06   ` Mimi Zohar
2020-11-11  9:22 ` [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded Roberto Sassu
2020-12-02 21:07   ` Mimi Zohar
2020-11-11  9:22 ` [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks Roberto Sassu
2020-12-02 11:56   ` Roberto Sassu
2020-12-03 20:43     ` Mimi Zohar
2020-11-11  9:22 ` [PATCH v3 05/11] evm: Introduce evm_status_revalidate() Roberto Sassu
2020-11-11  9:22 ` [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded Roberto Sassu
2020-12-03 20:42   ` Mimi Zohar
2020-12-04  8:05     ` Roberto Sassu
2020-12-04 13:04       ` Mimi Zohar
2020-12-04 14:59         ` Roberto Sassu
2020-11-11  9:22 ` [PATCH v3 07/11] evm: Allow xattr/attr operations for portable signatures Roberto Sassu
2020-11-11  9:22 ` [PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata Roberto Sassu
2020-11-18 17:58   ` kernel test robot
2020-11-11  9:23 ` [PATCH v3 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures Roberto Sassu
2020-11-11  9:23 ` [PATCH v3 10/11] ima: Introduce template field evmsig and write to field sig as fallback Roberto Sassu
2020-11-11  9:23 ` [PATCH v3 11/11] ima: Don't remove security.ima if file must not be appraised Roberto Sassu
2020-12-01 20:52 ` [PATCH v3 00/11] evm: Improve usability of portable signatures Mimi Zohar

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.