From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com,
zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
stephen.smalley.work@gmail.com, eparis@parisplace.org,
casey@schaufler-ca.com
Cc: ocfs2-devel@oss.oracle.com, reiserfs-devel@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
linux-kernel@vger.kernel.org, keescook@chromium.org,
nicolas.bouchinet@clip-os.org,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v6 6/6] evm: Support multiple LSMs providing an xattr
Date: Wed, 23 Nov 2022 16:47:12 +0100 [thread overview]
Message-ID: <20221123154712.752074-7-roberto.sassu@huaweicloud.com> (raw)
In-Reply-To: <20221123154712.752074-1-roberto.sassu@huaweicloud.com>
From: Roberto Sassu <roberto.sassu@huawei.com>
Currently, evm_inode_init_security() processes a single LSM xattr from
the array passed by security_inode_init_security(), and calculates the
HMAC on it and other inode metadata.
Given that initxattrs() callbacks, called by
security_inode_init_security(), expect that this array is terminated when
the xattr name is set to NULL, reuse the same assumption to scan all xattrs
and to calculate the HMAC on all of them.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/integrity/evm/evm.h | 2 ++
security/integrity/evm/evm_crypto.c | 9 ++++++++-
security/integrity/evm/evm_main.c | 16 +++++++++++-----
3 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index f8b8c5004fc7..f799d72a59fa 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -46,6 +46,8 @@ struct evm_digest {
char digest[IMA_MAX_DIGEST_SIZE];
} __packed;
+int evm_protected_xattr(const char *req_xattr_name);
+
int evm_init_key(void);
int evm_update_evmxattr(struct dentry *dentry,
const char *req_xattr_name,
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 708de9656bbd..68f99faac316 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -389,6 +389,7 @@ int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr,
char *hmac_val)
{
struct shash_desc *desc;
+ const struct xattr *xattr;
desc = init_desc(EVM_XATTR_HMAC, HASH_ALGO_SHA1);
if (IS_ERR(desc)) {
@@ -396,7 +397,13 @@ int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr,
return PTR_ERR(desc);
}
- crypto_shash_update(desc, lsm_xattr->value, lsm_xattr->value_len);
+ for (xattr = lsm_xattr; xattr->name != NULL; xattr++) {
+ if (!evm_protected_xattr(xattr->name))
+ continue;
+
+ crypto_shash_update(desc, xattr->value, xattr->value_len);
+ }
+
hmac_add_misc(desc, inode, EVM_XATTR_HMAC, hmac_val);
kfree(desc);
return 0;
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 0a312cafb7de..1cf6871a0019 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -305,7 +305,7 @@ static int evm_protected_xattr_common(const char *req_xattr_name,
return found;
}
-static int evm_protected_xattr(const char *req_xattr_name)
+int evm_protected_xattr(const char *req_xattr_name)
{
return evm_protected_xattr_common(req_xattr_name, false);
}
@@ -851,14 +851,20 @@ int evm_inode_init_security(struct inode *inode, struct inode *dir,
{
struct evm_xattr *xattr_data;
struct xattr *xattr, *evm_xattr;
+ bool evm_protected_xattrs = false;
int rc;
- if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs ||
- !evm_protected_xattr(xattrs->name))
+ if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs)
return -EOPNOTSUPP;
- for (xattr = xattrs; xattr->value != NULL; xattr++)
- ;
+ for (xattr = xattrs; xattr->value != NULL; xattr++) {
+ if (evm_protected_xattr(xattr->name))
+ evm_protected_xattrs = true;
+ }
+
+ /* EVM xattr not needed. */
+ if (!evm_protected_xattrs)
+ return -EOPNOTSUPP;
evm_xattr = xattr;
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Roberto Sassu via Ocfs2-devel <ocfs2-devel@oss.oracle.com>
To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com,
zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
stephen.smalley.work@gmail.com, eparis@parisplace.org,
casey@schaufler-ca.com
Cc: nicolas.bouchinet@clip-os.org, keescook@chromium.org,
selinux@vger.kernel.org, Roberto Sassu <roberto.sassu@huawei.com>,
reiserfs-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, ocfs2-devel@oss.oracle.com
Subject: [Ocfs2-devel] [PATCH v6 6/6] evm: Support multiple LSMs providing an xattr
Date: Wed, 23 Nov 2022 16:47:12 +0100 [thread overview]
Message-ID: <20221123154712.752074-7-roberto.sassu@huaweicloud.com> (raw)
In-Reply-To: <20221123154712.752074-1-roberto.sassu@huaweicloud.com>
From: Roberto Sassu <roberto.sassu@huawei.com>
Currently, evm_inode_init_security() processes a single LSM xattr from
the array passed by security_inode_init_security(), and calculates the
HMAC on it and other inode metadata.
Given that initxattrs() callbacks, called by
security_inode_init_security(), expect that this array is terminated when
the xattr name is set to NULL, reuse the same assumption to scan all xattrs
and to calculate the HMAC on all of them.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/integrity/evm/evm.h | 2 ++
security/integrity/evm/evm_crypto.c | 9 ++++++++-
security/integrity/evm/evm_main.c | 16 +++++++++++-----
3 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index f8b8c5004fc7..f799d72a59fa 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -46,6 +46,8 @@ struct evm_digest {
char digest[IMA_MAX_DIGEST_SIZE];
} __packed;
+int evm_protected_xattr(const char *req_xattr_name);
+
int evm_init_key(void);
int evm_update_evmxattr(struct dentry *dentry,
const char *req_xattr_name,
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 708de9656bbd..68f99faac316 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -389,6 +389,7 @@ int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr,
char *hmac_val)
{
struct shash_desc *desc;
+ const struct xattr *xattr;
desc = init_desc(EVM_XATTR_HMAC, HASH_ALGO_SHA1);
if (IS_ERR(desc)) {
@@ -396,7 +397,13 @@ int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr,
return PTR_ERR(desc);
}
- crypto_shash_update(desc, lsm_xattr->value, lsm_xattr->value_len);
+ for (xattr = lsm_xattr; xattr->name != NULL; xattr++) {
+ if (!evm_protected_xattr(xattr->name))
+ continue;
+
+ crypto_shash_update(desc, xattr->value, xattr->value_len);
+ }
+
hmac_add_misc(desc, inode, EVM_XATTR_HMAC, hmac_val);
kfree(desc);
return 0;
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 0a312cafb7de..1cf6871a0019 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -305,7 +305,7 @@ static int evm_protected_xattr_common(const char *req_xattr_name,
return found;
}
-static int evm_protected_xattr(const char *req_xattr_name)
+int evm_protected_xattr(const char *req_xattr_name)
{
return evm_protected_xattr_common(req_xattr_name, false);
}
@@ -851,14 +851,20 @@ int evm_inode_init_security(struct inode *inode, struct inode *dir,
{
struct evm_xattr *xattr_data;
struct xattr *xattr, *evm_xattr;
+ bool evm_protected_xattrs = false;
int rc;
- if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs ||
- !evm_protected_xattr(xattrs->name))
+ if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs)
return -EOPNOTSUPP;
- for (xattr = xattrs; xattr->value != NULL; xattr++)
- ;
+ for (xattr = xattrs; xattr->value != NULL; xattr++) {
+ if (evm_protected_xattr(xattr->name))
+ evm_protected_xattrs = true;
+ }
+
+ /* EVM xattr not needed. */
+ if (!evm_protected_xattrs)
+ return -EOPNOTSUPP;
evm_xattr = xattr;
--
2.25.1
_______________________________________________
Ocfs2-devel mailing list
Ocfs2-devel@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/ocfs2-devel
next prev parent reply other threads:[~2022-11-23 15:49 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-23 15:47 [PATCH v6 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes Roberto Sassu
2022-11-23 15:47 ` [Ocfs2-devel] " Roberto Sassu via Ocfs2-devel
2022-11-23 15:47 ` [PATCH v6 1/6] reiserfs: Switch to security_inode_init_security() Roberto Sassu
2022-11-23 15:47 ` [Ocfs2-devel] " Roberto Sassu via Ocfs2-devel
2022-11-23 15:47 ` [PATCH v6 2/6] ocfs2: " Roberto Sassu
2022-11-23 15:47 ` [Ocfs2-devel] " Roberto Sassu via Ocfs2-devel
2022-11-23 15:47 ` [PATCH v6 3/6] security: Remove security_old_inode_init_security() Roberto Sassu
2022-11-23 15:47 ` [Ocfs2-devel] " Roberto Sassu via Ocfs2-devel
2022-11-23 15:47 ` [Ocfs2-devel] [PATCH v6 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook Roberto Sassu via Ocfs2-devel
2022-11-23 15:47 ` Roberto Sassu
2022-11-23 17:17 ` Casey Schaufler
2022-11-23 17:17 ` [Ocfs2-devel] " Casey Schaufler via Ocfs2-devel
2022-11-24 7:55 ` Roberto Sassu
2022-11-24 7:55 ` [Ocfs2-devel] " Roberto Sassu via Ocfs2-devel
2022-11-24 1:14 ` Mimi Zohar
2022-11-24 1:14 ` [Ocfs2-devel] " Mimi Zohar via Ocfs2-devel
2022-11-24 8:17 ` Roberto Sassu
2022-11-24 8:17 ` [Ocfs2-devel] " Roberto Sassu via Ocfs2-devel
2022-11-29 11:23 ` Mimi Zohar
2022-11-29 11:23 ` [Ocfs2-devel] " Mimi Zohar via Ocfs2-devel
2022-11-29 15:39 ` Casey Schaufler
2022-11-29 15:39 ` [Ocfs2-devel] " Casey Schaufler via Ocfs2-devel
2022-11-30 21:23 ` Mimi Zohar
2022-11-30 21:23 ` [Ocfs2-devel] " Mimi Zohar via Ocfs2-devel
2022-11-23 15:47 ` [Ocfs2-devel] [PATCH v6 5/6] evm: Align evm_inode_init_security() definition with LSM infrastructure Roberto Sassu via Ocfs2-devel
2022-11-23 15:47 ` Roberto Sassu
2022-11-23 15:47 ` Roberto Sassu [this message]
2022-11-23 15:47 ` [Ocfs2-devel] [PATCH v6 6/6] evm: Support multiple LSMs providing an xattr Roberto Sassu via Ocfs2-devel
2022-11-23 16:22 ` [PATCH v6 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes Mimi Zohar
2022-11-23 16:22 ` [Ocfs2-devel] " Mimi Zohar via Ocfs2-devel
2022-11-23 17:20 ` Casey Schaufler
2022-11-23 17:20 ` [Ocfs2-devel] " Casey Schaufler via Ocfs2-devel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221123154712.752074-7-roberto.sassu@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=casey@schaufler-ca.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eparis@parisplace.org \
--cc=jlbec@evilplan.org \
--cc=jmorris@namei.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=keescook@chromium.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mark@fasheh.com \
--cc=nicolas.bouchinet@clip-os.org \
--cc=ocfs2-devel@oss.oracle.com \
--cc=paul@paul-moore.com \
--cc=reiserfs-devel@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.