From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>, <mjg59@google.com>
Cc: <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<silviu.vlasceanu@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded
Date: Wed, 11 Nov 2020 10:22:57 +0100 [thread overview]
Message-ID: <20201111092302.1589-7-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20201111092302.1589-1-roberto.sassu@huawei.com>
When a file is being created, LSMs can set the initial label with the
inode_init_security hook. If no HMAC key is loaded, the new file will have
LSM xattrs but not the HMAC.
Unfortunately, EVM will deny any further metadata operation on new files,
as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error. This
would limit the usability of EVM when only a public key is loaded, as
commands such as cp or tar with the option to preserve xattrs won't work.
Ignoring this error won't be an issue if no HMAC key is loaded, as the
inode is locked until the post hook, and EVM won't calculate the HMAC on
metadata that wasn't previously verified. Thus this patch checks if an
HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/integrity/evm/evm_main.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index b38ffa39faa8..4f4404a12bbd 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -354,6 +354,14 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
-EPERM, 0);
}
out:
+ /*
+ * Ignoring INTEGRITY_NOLABEL is safe if no HMAC key is loaded, as
+ * EVM won't calculate the HMAC of metadata that wasn't previously
+ * verified.
+ */
+ if (evm_status == INTEGRITY_NOLABEL &&
+ !(evm_initialized & EVM_INIT_HMAC))
+ return 0;
if (evm_status != INTEGRITY_PASS)
integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
dentry->d_name.name, "appraise_metadata",
@@ -514,8 +522,15 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
return 0;
evm_status = evm_verify_current_integrity(dentry);
+ /*
+ * Ignoring INTEGRITY_NOLABEL is safe if no HMAC key is loaded, as
+ * EVM won't calculate the HMAC of metadata that wasn't previously
+ * verified.
+ */
if ((evm_status == INTEGRITY_PASS) ||
- (evm_status == INTEGRITY_NOXATTRS))
+ (evm_status == INTEGRITY_NOXATTRS) ||
+ (evm_status == INTEGRITY_NOLABEL &&
+ !(evm_initialized & EVM_INIT_HMAC)))
return 0;
integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
dentry->d_name.name, "appraise_metadata",
--
2.27.GIT
next prev parent reply other threads:[~2020-11-11 9:25 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-11 9:22 [PATCH v3 00/11] evm: Improve usability of portable signatures Roberto Sassu
2020-11-11 9:22 ` [PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Roberto Sassu
2020-12-02 17:03 ` Mimi Zohar
2020-11-11 9:22 ` [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
2020-12-02 17:27 ` Mimi Zohar
2021-03-01 18:06 ` Mimi Zohar
2020-11-11 9:22 ` [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded Roberto Sassu
2020-12-02 21:07 ` Mimi Zohar
2020-11-11 9:22 ` [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks Roberto Sassu
2020-12-02 11:56 ` Roberto Sassu
2020-12-03 20:43 ` Mimi Zohar
2020-11-11 9:22 ` [PATCH v3 05/11] evm: Introduce evm_status_revalidate() Roberto Sassu
2020-11-11 9:22 ` Roberto Sassu [this message]
2020-12-03 20:42 ` [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded Mimi Zohar
2020-12-04 8:05 ` Roberto Sassu
2020-12-04 13:04 ` Mimi Zohar
2020-12-04 14:59 ` Roberto Sassu
2020-11-11 9:22 ` [PATCH v3 07/11] evm: Allow xattr/attr operations for portable signatures Roberto Sassu
2020-11-11 9:22 ` [PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata Roberto Sassu
2020-11-18 17:58 ` kernel test robot
2020-11-11 9:23 ` [PATCH v3 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures Roberto Sassu
2020-11-11 9:23 ` [PATCH v3 10/11] ima: Introduce template field evmsig and write to field sig as fallback Roberto Sassu
2020-11-11 9:23 ` [PATCH v3 11/11] ima: Don't remove security.ima if file must not be appraised Roberto Sassu
2020-12-01 20:52 ` [PATCH v3 00/11] evm: Improve usability of portable signatures Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201111092302.1589-7-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).