[PATCH] evm: Use ordered xattrs list to calculate HMAC in evm_init_hmac()
Mimi Zohar
zohar at linux.ibm.com
Fri Jan 23 19:33:56 UTC 2026
On Thu, 2026-01-22 at 09:07 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu at huawei.com>
>
> Commit 8e5d9f916a96 ("smack: deduplicate xattr setting in
> smack_inode_init_security()") introduced xattr_dupval() to simplify setting
> the xattrs to be provided by the SMACK LSM on inode creation, in the
> smack_inode_init_security().
>
> Unfortunately, moving lsm_get_xattr_slot() caused the SMACK64TRANSMUTE
> xattr be added in the array of new xattrs before SMACK64. This causes the
> HMAC of xattrs calculated by evm_init_hmac() for new files to diverge from
> the one calculated by both evm_calc_hmac_or_hash() and evmctl.
>
> evm_init_hmac() calculates the HMAC of the xattrs of new files based on the
> order LSMs provide them, while evm_calc_hmac_or_hash() and evmctl calculate
> the HMAC based on an ordered xattrs list.
>
> Fix the issue by making evm_init_hmac() calculate the HMAC of new files
> based on the ordered xattrs list too.
>
> Fixes: 8e5d9f916a96 ("smack: deduplicate xattr setting in smack_inode_init_security()")
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
Thanks, Roberto. The patch is now queued in next-integrity.
More information about the Linux-security-module-archive
mailing list