forked from Minki/linux
evm: Introduce evm_revalidate_status()
When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on metadata. Its main purpose is to allow users to freely set metadata when it is protected by a portable signature, until an HMAC key is loaded. However, callers of evm_verifyxattr() are not notified about metadata changes and continue to rely on the last status returned by the function. For example IMA, since it caches the appraisal result, will not call again evm_verifyxattr() until the appraisal flags are cleared, and will grant access to the file even if there was a metadata operation that made the portable signature invalid. This patch introduces evm_revalidate_status(), which callers of evm_verifyxattr() can use in their xattr hooks to determine whether re-validation is necessary and to do the proper actions. IMA calls it in its xattr hooks to reset the appraisal flags, so that the EVM status is re-evaluated after a metadata operation. Lastly, this patch also adds a call to evm_reset_status() in evm_inode_post_setattr() to invalidate the cached EVM status after a setattr operation. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
parent
9acc89d31f
commit
e3ccfe1ad7
@ -35,6 +35,7 @@ extern void evm_inode_post_removexattr(struct dentry *dentry,
|
||||
extern int evm_inode_init_security(struct inode *inode,
|
||||
const struct xattr *xattr_array,
|
||||
struct xattr *evm);
|
||||
extern bool evm_revalidate_status(const char *xattr_name);
|
||||
#ifdef CONFIG_FS_POSIX_ACL
|
||||
extern int posix_xattr_acl(const char *xattrname);
|
||||
#else
|
||||
@ -104,5 +105,10 @@ static inline int evm_inode_init_security(struct inode *inode,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline bool evm_revalidate_status(const char *xattr_name)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
#endif /* CONFIG_EVM */
|
||||
#endif /* LINUX_EVM_H */
|
||||
|
@ -425,6 +425,31 @@ static void evm_reset_status(struct inode *inode)
|
||||
iint->evm_status = INTEGRITY_UNKNOWN;
|
||||
}
|
||||
|
||||
/**
|
||||
* evm_revalidate_status - report whether EVM status re-validation is necessary
|
||||
* @xattr_name: pointer to the affected extended attribute name
|
||||
*
|
||||
* Report whether callers of evm_verifyxattr() should re-validate the
|
||||
* EVM status.
|
||||
*
|
||||
* Return true if re-validation is necessary, false otherwise.
|
||||
*/
|
||||
bool evm_revalidate_status(const char *xattr_name)
|
||||
{
|
||||
if (!evm_key_loaded())
|
||||
return false;
|
||||
|
||||
/* evm_inode_post_setattr() passes NULL */
|
||||
if (!xattr_name)
|
||||
return true;
|
||||
|
||||
if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
|
||||
strcmp(xattr_name, XATTR_NAME_EVM))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* evm_inode_post_setxattr - update 'security.evm' to reflect the changes
|
||||
* @dentry: pointer to the affected dentry
|
||||
@ -441,12 +466,14 @@ static void evm_reset_status(struct inode *inode)
|
||||
void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
|
||||
const void *xattr_value, size_t xattr_value_len)
|
||||
{
|
||||
if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
|
||||
&& !posix_xattr_acl(xattr_name)))
|
||||
if (!evm_revalidate_status(xattr_name))
|
||||
return;
|
||||
|
||||
evm_reset_status(dentry->d_inode);
|
||||
|
||||
if (!strcmp(xattr_name, XATTR_NAME_EVM))
|
||||
return;
|
||||
|
||||
evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
|
||||
}
|
||||
|
||||
@ -462,11 +489,14 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
|
||||
*/
|
||||
void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
|
||||
{
|
||||
if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
|
||||
if (!evm_revalidate_status(xattr_name))
|
||||
return;
|
||||
|
||||
evm_reset_status(dentry->d_inode);
|
||||
|
||||
if (!strcmp(xattr_name, XATTR_NAME_EVM))
|
||||
return;
|
||||
|
||||
evm_update_evmxattr(dentry, xattr_name, NULL, 0);
|
||||
}
|
||||
|
||||
@ -513,9 +543,11 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
|
||||
*/
|
||||
void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
|
||||
{
|
||||
if (!evm_key_loaded())
|
||||
if (!evm_revalidate_status(NULL))
|
||||
return;
|
||||
|
||||
evm_reset_status(dentry->d_inode);
|
||||
|
||||
if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
|
||||
evm_update_evmxattr(dentry, NULL, NULL, 0);
|
||||
}
|
||||
|
@ -570,6 +570,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
|
||||
const void *xattr_value, size_t xattr_value_len)
|
||||
{
|
||||
const struct evm_ima_xattr_data *xvalue = xattr_value;
|
||||
int digsig = 0;
|
||||
int result;
|
||||
|
||||
result = ima_protect_xattr(dentry, xattr_name, xattr_value,
|
||||
@ -577,8 +578,11 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
|
||||
if (result == 1) {
|
||||
if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
|
||||
return -EINVAL;
|
||||
ima_reset_appraise_flags(d_backing_inode(dentry),
|
||||
xvalue->type == EVM_IMA_XATTR_DIGSIG);
|
||||
digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
|
||||
}
|
||||
if (result == 1 || evm_revalidate_status(xattr_name)) {
|
||||
ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
|
||||
if (result == 1)
|
||||
result = 0;
|
||||
}
|
||||
return result;
|
||||
@ -589,8 +593,9 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
|
||||
int result;
|
||||
|
||||
result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
|
||||
if (result == 1) {
|
||||
if (result == 1 || evm_revalidate_status(xattr_name)) {
|
||||
ima_reset_appraise_flags(d_backing_inode(dentry), 0);
|
||||
if (result == 1)
|
||||
result = 0;
|
||||
}
|
||||
return result;
|
||||
|
Loading…
Reference in New Issue
Block a user