[PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded
Mimi Zohar
zohar at linux.ibm.com
Thu Dec 3 20:42:44 UTC 2020
Hi Roberto,
On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> When a file is being created, LSMs can set the initial label with the
> inode_init_security hook. If no HMAC key is loaded, the new file will have
> LSM xattrs but not the HMAC.
>
> Unfortunately, EVM will deny any further metadata operation on new files,
> as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error. This
> would limit the usability of EVM when only a public key is loaded, as
> commands such as cp or tar with the option to preserve xattrs won't work.
>
> Ignoring this error won't be an issue if no HMAC key is loaded, as the
> inode is locked until the post hook, and EVM won't calculate the HMAC on
> metadata that wasn't previously verified. Thus this patch checks if an
> HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.
I'm not sure what problem this patch is trying to solve.
evm_protect_xattr() is only called by evm_inode_setxattr() and
evm_inode_removexattr(), which first checks whether
EVM_ALLOW_METADATA_WRITES is enabled.
Mimi
More information about the Linux-security-module-archive
mailing list