From dd2fe2360f8ae4e9d9e94af70ee3082178f4c9a5 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Wed, 3 Mar 2021 08:44:11 +0100 Subject: [PATCH] evm: Reset status even when security.evm is modified hulk inclusion category: feature feature: IMA Digest Lists extension bugzilla: 46797 ------------------------------------------------- Without resetting the status when security.evm is modified, IMA appraisal would continue to use the cached result and wouldn't detect whether the meta_immutable requirement is still satisfied. This patch calls evm_reset_status() in the post hooks when security.evm is modified. Signed-off-by: Roberto Sassu Signed-off-by: Tianxing Zhang Reviewed-by: Jason Yan Signed-off-by: Zheng Zengkai --- security/integrity/evm/evm_main.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 7562f8891aa1..8cbf0787eb02 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -211,7 +211,6 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, evm_status = INTEGRITY_FAIL; goto out; } - digest.hdr.algo = HASH_ALGO_SHA1; rc = evm_calc_hmac(dentry, xattr_name, xattr_value, xattr_value_len, &digest); @@ -618,7 +617,8 @@ bool evm_status_revalidate(const char *xattr_name) if (!xattr_name) return true; - if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name)) + if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) && + strcmp(xattr_name, XATTR_NAME_EVM)) return false; return true; @@ -645,6 +645,9 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, evm_reset_status(dentry->d_inode); + if (!strcmp(xattr_name, XATTR_NAME_EVM)) + return; + evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); } @@ -665,6 +668,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) evm_reset_status(dentry->d_inode); + if (!strcmp(xattr_name, XATTR_NAME_EVM)) + return; + evm_update_evmxattr(dentry, xattr_name, NULL, 0); } -- GitLab