[PATCH v5 09/12] evm: Allow setxattr() and setattr() for unmodified metadata

Mimi Zohar zohar at linux.ibm.com
Mon May 3 13:00:21 UTC 2021

On Wed, 2021-04-07 at 12:52 +0200, Roberto Sassu wrote:

> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> @@ -389,6 +473,11 @@ static int evm_protect_xattr(struct user_namespace *mnt_userns,
>  	if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
>  		return 0;
> +	if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
> +	    !evm_xattr_change(mnt_userns, dentry, xattr_name, xattr_value,
> +			      xattr_value_len))
> +		return 0;
> +

If the purpose of evm_protect_xattr() is to prevent allowing an invalid
security.evm xattr from being re-calculated and updated, making it
valid, INTEGRITY_PASS_IMMUTABLE shouldn't need to be conditional.  Any
time there is an attr or xattr change, including setting it to the
existing value, the status flag should be reset.

I'm wondering if making INTEGRITY_PASS_IMMUTABLE conditional would
prevent the file from being resigned.

>  	if (evm_status != INTEGRITY_PASS)
>  		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
>  				    dentry->d_name.name, "appraise_metadata",

This would then be updated to if not INTEGRITY_PASS or
INTEGRITY_PASS_IMMUTABLE.  The subsequent "return" would need to be
updated as well.



More information about the Linux-security-module-archive mailing list