[RESEND][PATCH v6 05/11] evm: Introduce evm_hmac_disabled() to safely ignore verification errors

Mimi Zohar zohar at linux.ibm.com
Tue May 11 13:42:15 UTC 2021

On Fri, 2021-05-07 at 15:31 +0200, Roberto Sassu wrote:
> When a file is being created, LSMs can set the initial label with the
> inode_init_security hook. If no HMAC key is loaded, the new file will have
> LSM xattrs but not the HMAC. It is also possible that the file remains
> without protected xattrs after creation if no active LSM provided it.
> Unfortunately, EVM will deny any further metadata operation on new files,
> as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error, or
> INTEGRITY_NOXATTRS if no protected xattrs exist. This would limit the
> usability of EVM when only a public key is loaded, as commands such as cp
> or tar with the option to preserve xattrs won't work.
> This patch introduces the evm_hmac_disabled() function to determine whether
> or not it is safe to ignore verification errors, based on the ability of
> EVM to calculate HMACs. If the HMAC key is not loaded, and it cannot be
> loaded in the future due to the EVM_SETUP_COMPLETE initialization flag,
> allowing an operation despite the attrs/xattrs being found invalid will not
> make them valid.
> Since the post hooks can be executed even when the HMAC key is not loaded,
> this patch also ensures that the EVM_INIT_HMAC initialization flag is set
> before the post hooks call evm_update_evmxattr().
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> Suggested-by: Mimi Zohar <zohar at linux.ibm.com>

Thanks, Robert!

Reviewed-by:  Mimi Zohar <zohar at linux.ibm.com>

More information about the Linux-security-module-archive mailing list