[PATCH] evm: Change vfs_getxattr() with __vfs_getxattr() in evm_calc_hmac_or_hash()

Roberto Sassu roberto.sassu at huaweicloud.com
Thu Mar 7 14:36:14 UTC 2024


On Thu, 2024-03-07 at 08:31 -0600, Seth Forshee wrote:
> On Thu, Mar 07, 2024 at 01:22:39PM +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu at huawei.com>
> > 
> > Use __vfs_getxattr() instead of vfs_getxattr(), in preparation for
> > deprecating using the vfs_ interfaces for retrieving fscaps.
> > 
> > __vfs_getxattr() is only used for debugging purposes, to check if kernel
> > space and user space see the same xattr value.
> 
> __vfs_getxattr() won't give you the value as seen by userspace though.
> Userspace goes through vfs_getxattr() -> xattr_getsecurity() ->
> cap_inode_getsecurity(), which does the conversion to the value
> userspace sees. __vfs_getxattr() just gives the raw disk data.
> 
> I'm also currently working on changes to my fscaps series that will make
> it so that __vfs_getxattr() also cannot be used to read fscaps xattrs.
> I'll fix this and other code in EVM which will be broken by that change
> as part of the next version too.

You are right, thank you!

Roberto

> > 
> > Cc: stable at vger.kernel.org # 5.14.x
> > Cc: linux-fsdevel at vger.kernel.org
> > Cc: Christian Brauner <brauner at kernel.org>
> > Cc: Seth Forshee (DigitalOcean) <sforshee at kernel.org>
> > Fixes: 907a399de7b0 ("evm: Check xattr size discrepancy between kernel and user")
> > Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> > ---
> >  security/integrity/evm/evm_crypto.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
> > index b1ffd4cc0b44..168d98c63513 100644
> > --- a/security/integrity/evm/evm_crypto.c
> > +++ b/security/integrity/evm/evm_crypto.c
> > @@ -278,8 +278,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
> >  		if (size < 0)
> >  			continue;
> >  
> > -		user_space_size = vfs_getxattr(&nop_mnt_idmap, dentry,
> > -					       xattr->name, NULL, 0);
> > +		user_space_size = __vfs_getxattr(dentry, inode, xattr->name,
> > +						 NULL, 0);
> >  		if (user_space_size != size)
> >  			pr_debug("file %s: xattr %s size mismatch (kernel: %d, user: %d)\n",
> >  				 dentry->d_name.name, xattr->name, size,
> > -- 
> > 2.34.1
> > 




More information about the Linux-security-module-archive mailing list