hulk inclusion
category: feature
feature: digest-lists

---------------------------

EVM is a module for the protection of the integrity of file metadata. It
protects security-relevant extended attributes, and some file attributes
such as the UID and the GID. It protects their integrity with an HMAC or
with a signature.

What makes EVM different from other LSMs is that it makes a security
decision depending on multiple pieces of information, which cannot be
managed atomically by the system.

Example: cp -a file.orig file.dest

If security.selinux, security.ima and security.evm must be preserved, cp
will invoke setxattr() for each xattr, and EVM performs a verification
during each operation. The problem is that copying security.evm from
file.orig to file.dest will likely break the following EVM verifications if
some metadata still have to be copied. EVM has no visibility on the
metadata of the source file, so it cannot determine when the copy can be
considered complete.

On the other hand, EVM has to check metadata during every operation to
ensure that there is no transition from corrupted metadata, e.g. after an
offline attack, to valid ones after the operation. An HMAC update would
prevent the corruption to be detected, as the HMAC on the new values would
be correct. Thus, to avoid this issue, EVM has to return an error to the
system call so that its execution will be interrupted.

A solution that would satisfy both requirements, not breaking user space
applications and detecting corrupted metadata is to let metadata operations
be completed successfully and to pass the result of the EVM verification
from the pre hooks to the post hooks. In this way, the HMAC update can be
avoided if the verification wasn't successful.

This approach will bring another important benefit: it is no longer
required that every file has a valid HMAC or signature. Instead of always
enforcing metadata integrity, even when it is not relevant for IMA, EVM
will let IMA decide for files selected with the appraisal policy,
depending on the result of the requested verification.

The main problem is that the result of the verification currently cannot be
passed from the pre hooks to the post hooks, due to how the LSM API is
defined. A possible solution would be to use integrity_iint_cache for this
purpose, but it will increase the memory pressure, as new structures will
be allocated also for metadata operations, not only for measurement,
appraisal and audit. Another solution would be to extend the LSM API, but
it seems not worthwhile as EVM would be the only module getting a benefit
from this change.

Given that pre and post hooks are called from the same system call, a more
efficient solution seems to move the hooks outside the LSM infrastructure,
so that the return value of the pre hooks can be passed to the post hooks.
A predefined error (-EAGAIN) will be used to signal to the system call to
continue the execution. Otherwise, if the pre hooks return -EPERM, the
system calls will behave as before and will immediately return before
metadata are changed.

Overview of the changes:

evm_inode_init_security()	LSM (no change)
evm_inode_setxattr()		LSM -> vfs_setxattr()
evm_inode_post_setxattr()	LSM -> vfs_setxattr()
evm_inode_removexattr()		LSM -> vfs_removexattr()
evm_inode_post_removexattr()	vfs_removexattr() (no change)
evm_inode_setattr()		LSM -> vfs_setattr()
evm_inode_post_setattr()	vfs_setattr() (no change)
evm_verifyxattr()		outside LSM (no change)
Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
Acked-by: NHanjun Guo <guohanjun@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>