[PATCH] fs: Return raw xattr for security.* if there is size disagreement with LSMs

Roberto Sassu roberto.sassu at huawei.com
Fri Jun 18 16:10:18 UTC 2021


> From: Mimi Zohar [mailto:zohar at linux.ibm.com]
> Sent: Friday, June 18, 2021 6:04 PM
> On Thu, 2021-06-17 at 23:18 -0400, Paul Moore wrote:
> > On Thu, Jun 17, 2021 at 11:28 AM Mimi Zohar <zohar at linux.ibm.com>
> wrote:
> > > On Thu, 2021-06-17 at 07:09 +0000, Roberto Sassu wrote:
> >
> > ...
> >
> > > > An alternative would be to do the EVM verification twice if the
> > > > first time didn't succeed (with vfs_getxattr_alloc() and with the
> > > > new function that behaves like vfs_getxattr()).
> > >
> > > Unfortunately, I don't see an alternative.
> >
> > ... and while unfortunate, the impact should be non-existant if you
> > are using the right tools to label files or ensuring that you are
> > formatting labels properly if doing it by hand.
> >
> > Handling a corner case is good, but I wouldn't add a lot of code
> > complexity trying to optimize it.
> 
> From userspace it's really difficult to understand the EVM signature
> verification failure is due to the missing NULL.
> 
> Roberto, I just pushed the "evm: output EVM digest calculation info"
> patch to the next-integrity-testing branch, which includes some
> debugging.   Instead of this patch, which returns the raw xattr data,
> how about adding additional debugging info in evm_calc_hmac_or_hash()
> indicating the size discrepancy between the raw xattr and the LSM
> returned xattr?

Good idea. Will do it.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> thanks,
> 
> Mimi



More information about the Linux-security-module-archive mailing list