[PATCH v7 6/6] evm: Support multiple LSMs providing an xattr
Mimi Zohar
zohar at linux.ibm.com
Sun Feb 19 19:42:11 UTC 2023
On Thu, 2022-12-01 at 11:41 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu at huawei.com>
>
> Currently, evm_inode_init_security() processes a single LSM xattr from
> the array passed by security_inode_init_security(), and calculates the
> HMAC on it and other inode metadata.
>
> Given that initxattrs() callbacks, called by
> security_inode_init_security(), expect that this array is terminated when
> the xattr name is set to NULL, reuse the same assumption to scan all xattrs
> and to calculate the HMAC on all of them.
>
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> Reviewed-by: Casey Schaufler <casey at schaufler-ca.com>
Normally changing the contents of the EVM HMAC calculation would break
existing systems. Assuming for the time being this is safe, at what
point will it affect backwards compatability? Should it be documented
now or then?
--
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list