[PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded

Mimi Zohar zohar at linux.ibm.com
Thu Dec 3 20:42:44 UTC 2020

Hi Roberto,

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> When a file is being created, LSMs can set the initial label with the
> inode_init_security hook. If no HMAC key is loaded, the new file will have
> LSM xattrs but not the HMAC.
> Unfortunately, EVM will deny any further metadata operation on new files,
> as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error. This
> would limit the usability of EVM when only a public key is loaded, as
> commands such as cp or tar with the option to preserve xattrs won't work.
> Ignoring this error won't be an issue if no HMAC key is loaded, as the
> inode is locked until the post hook, and EVM won't calculate the HMAC on
> metadata that wasn't previously verified. Thus this patch checks if an
> HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.

I'm not sure what problem this patch is trying to solve. 
evm_protect_xattr() is only called by evm_inode_setxattr() and
evm_inode_removexattr(), which first checks whether


More information about the Linux-security-module-archive mailing list