This patch set provides some improvements and fixes. The first three patches solve a permission problem caused by EVM. EVM denies xattr operations also for files that are not appraised by IMA. If only executables are appraised, xattr operations on the other files should be allowed, even if metadata verification fails (for example due to missing security.evm).
At the moment, in openEuler we use EVM_ALLOW_METADATA_WRITES to avoid this problem (EVM does not check metadata integrity), but it would be useful to do the verification for example to prevent accidental changes on immutable metadata.
The fourth patch enables the choice of the algorithm for the HMAC and ensures that the parameters passed to the functions which handle the HMAC are consistent with the algorithm chosen.
The last three patches are simple bug fixes.
Roberto Sassu (7): evm: Move hooks outside LSM infrastructure evm: Extend API of post hooks to pass the result of pre hooks evm: Return -EAGAIN to ignore verification failures evm: Propagate choice of HMAC algorithm in evm_crypto.c ima: Fix datalen check in ima_write_data() evm: Fix validation of fake xattr passed by IMA evm: Initialize saved_evm_status
fs/attr.c | 7 ++- fs/xattr.c | 64 +++++++++++++++++--------- include/linux/evm.h | 18 +++++--- security/integrity/evm/Kconfig | 32 +++++++++++++ security/integrity/evm/evm.h | 1 + security/integrity/evm/evm_crypto.c | 15 ++++-- security/integrity/evm/evm_main.c | 71 +++++++++++++++++++++-------- security/integrity/ima/ima_fs.c | 2 +- security/integrity/integrity.h | 2 +- security/security.c | 18 ++------ 10 files changed, 158 insertions(+), 72 deletions(-)