[PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded

Roberto Sassu roberto.sassu at huawei.com
Fri Dec 4 08:05:05 UTC 2020


> From: Mimi Zohar [mailto:zohar at linux.ibm.com]
> Sent: Thursday, December 3, 2020 9:43 PM
> Hi Roberto,
> 
> On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> > When a file is being created, LSMs can set the initial label with the
> > inode_init_security hook. If no HMAC key is loaded, the new file will have
> > LSM xattrs but not the HMAC.
> >
> > Unfortunately, EVM will deny any further metadata operation on new
> files,
> > as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error.
> This
> > would limit the usability of EVM when only a public key is loaded, as
> > commands such as cp or tar with the option to preserve xattrs won't work.
> >
> > Ignoring this error won't be an issue if no HMAC key is loaded, as the
> > inode is locked until the post hook, and EVM won't calculate the HMAC on
> > metadata that wasn't previously verified. Thus this patch checks if an
> > HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.
> 
> I'm not sure what problem this patch is trying to solve.
> evm_protect_xattr() is only called by evm_inode_setxattr() and
> evm_inode_removexattr(), which first checks whether
> EVM_ALLOW_METADATA_WRITES is enabled.

The idea is to also support EVM verification when only a public key
is loaded. An advantage to do that is that for example we can prevent
accidental metadata changes when the signature is portable.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli



More information about the Linux-security-module-archive mailing list