hulk inclusion category: feature feature: digest-lists
---------------------------
Without resetting the status when security.evm is modified, IMA appraisal would continue to use the cached result and wouldn't detect whether the meta_immutable requirement is still satisfied.
This patch calls evm_reset_status() in the post hooks when security.evm is modified.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- security/integrity/evm/evm_main.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index ece39b80ca9c..5762336b5513 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -180,7 +180,6 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, evm_status = INTEGRITY_FAIL; goto out; } - digest.hdr.algo = HASH_ALGO_SHA1; rc = evm_calc_hmac(dentry, xattr_name, xattr_value, xattr_value_len, &digest); @@ -562,12 +561,17 @@ static void evm_reset_status(struct inode *inode, int bit) void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { + int is_evm = !strcmp(xattr_name, XATTR_NAME_EVM); + if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) - && !posix_xattr_acl(xattr_name))) + && !posix_xattr_acl(xattr_name) && !is_evm)) return;
evm_reset_status(dentry->d_inode, IMA_CHANGE_XATTR);
+ if (is_evm) + return; + evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); }
@@ -583,11 +587,16 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, */ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) { - if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) + int is_evm = !strcmp(xattr_name, XATTR_NAME_EVM); + + if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) && !is_evm)) return;
evm_reset_status(dentry->d_inode, IMA_CHANGE_XATTR);
+ if (is_evm) + return; + evm_update_evmxattr(dentry, xattr_name, NULL, 0); }