[PATCH v6 04/11] evm: Introduce evm_status_revalidate()
Mimi Zohar
zohar at linux.ibm.com
Tue May 11 13:42:08 UTC 2021
On Wed, 2021-05-05 at 13:29 +0200, Roberto Sassu wrote:
> When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on
> metadata. Its main purpose is to allow users to freely set metadata when it
> is protected by a portable signature, until an HMAC key is loaded.
>
> However, callers of evm_verifyxattr() are not notified about metadata
> changes and continue to rely on the last status returned by the function.
> For example IMA, since it caches the appraisal result, will not call again
> evm_verifyxattr() until the appraisal flags are cleared, and will grant
> access to the file even if there was a metadata operation that made the
> portable signature invalid.
>
> This patch introduces evm_status_revalidate(), which callers of
> evm_verifyxattr() can use in their xattr hooks to determine whether
> re-validation is necessary and to do the proper actions. IMA calls it in
> its xattr hooks to reset the appraisal flags, so that the EVM status is
> re-evaluated after a metadata operation.
>
> Lastly, this patch also adds a call to evm_reset_status() in
> evm_inode_post_setattr() to invalidate the cached EVM status after a
> setattr operation.
>
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
I'm really sorry for the patch churn, but could you rename
evm_status_revalidate() to evm_revalidate_status().
Otherwise,
Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list