evm: Extend API of post hooks to pass the result of pre hooks

hulk inclusion category: feature feature: digest-lists --------------------------- This patch extends the API of post hooks to pass the result returned by the pre hooks. Given that now this information is available, post hooks can stop before updating the HMAC if the result of the pre hook is not zero. They still reset the result of the last verification, stored in the integrity_iint_cache, to ensure that file metadata are re-evaluated after update. Signed-off-by: N Roberto Sassu <roberto.sassu@huawei.com> Acked-by: N Hanjun Guo <guohanjun@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

evm: Extend API of post hooks to pass the result of pre hooks
hulk inclusion category: feature feature: digest-lists --------------------------- This patch extends the API of post hooks to pass the result returned by the pre hooks. Given that now this information is available, post hooks can stop before updating the HMAC if the result of the pre hook is not zero. They still reset the result of the last verification, stored in the integrity_iint_cache, to ensure that file metadata are re-evaluated after update. Signed-off-by: N Roberto Sassu <roberto.sassu@huawei.com> Acked-by: N Hanjun Guo <guohanjun@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
dcf1b463 · Roberto Sassu · Yang Yingliang · ab884109 · dcf1b463 · dcf1b463
隐藏空白更改
内联并排

Showing with 60 addition and 31 deletion

fs/attr.c fs/attr.c +1 -1

fs/xattr.c fs/xattr.c +29 -21

include/linux/evm.h include/linux/evm.h +12 -6

security/integrity/evm/evm_main.c security/integrity/evm/evm_main.c +18 -3

未找到文件。
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -341,7 +341,7 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de
 	if (!error) {
 		fsnotify_change(dentry, ia_valid);
 		ima_inode_post_setattr(dentry);
-		evm_inode_post_setattr(dentry, ia_valid);
+		evm_inode_post_setattr(dentry, ia_valid, evm_error);
 	}
 	return error;

--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -150,24 +150,8 @@ __vfs_setxattr(struct dentry *dentry, struct inode *inode, const char *name,
 }
 EXPORT_SYMBOL(__vfs_setxattr);
-/**
+static int __vfs_setxattr_noperm_evm(struct dentry *dentry, const char *name,
- *  __vfs_setxattr_noperm - perform setxattr operation without performing
+		const void *value, size_t size, int flags, int evm_error)
- *  permission checks.
- *
- *  @dentry - object to perform setxattr on
- *  @name - xattr name to set
- *  @value - value to set @name to
- *  @size - size of @value
- *  @flags - flags to pass into filesystem operations
- *
- *  returns the result of the internal setxattr or setsecurity operations.
- *
- *  This function requires the caller to lock the inode's i_mutex before it
- *  is executed. It also assumes that the caller will make the appropriate
- *  permission checks.
- */
-int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
-		const void *value, size_t size, int flags)
 {
 	struct inode *inode = dentry->d_inode;
 	int error = -EAGAIN;
@@ -182,7 +166,8 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
 			fsnotify_xattr(dentry);
 			security_inode_post_setxattr(dentry, name, value,
 						     size, flags);
-			evm_inode_post_setxattr(dentry, name, value, size);
+			evm_inode_post_setxattr(dentry, name, value, size,
+						evm_error);
 		}
 	} else {
 		if (unlikely(is_bad_inode(inode)))
@@ -204,6 +189,28 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
 	return error;
 }
+/**
+ *  __vfs_setxattr_noperm - perform setxattr operation without performing
+ *  permission checks.
+ *
+ *  @dentry - object to perform setxattr on
+ *  @name - xattr name to set
+ *  @value - value to set @name to
+ *  @size - size of @value
+ *  @flags - flags to pass into filesystem operations
+ *
+ *  returns the result of the internal setxattr or setsecurity operations.
+ *
+ *  This function requires the caller to lock the inode's i_mutex before it
+ *  is executed. It also assumes that the caller will make the appropriate
+ *  permission checks.
+ */
+int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
+		const void *value, size_t size, int flags)
+{
+	return __vfs_setxattr_noperm_evm(dentry, name, value, size, flags, 0);
+}
 /**
 * __vfs_setxattr_locked: set an extended attribute while holding the inode
 * lock
@@ -242,7 +249,8 @@ __vfs_setxattr_locked(struct dentry *dentry, const char *name,
 	if (error)
 		goto out;
-	error = __vfs_setxattr_noperm(dentry, name, value, size, flags);
+	error = __vfs_setxattr_noperm_evm(dentry, name, value, size, flags,
+					  evm_error);
 out:
 	return error;
@@ -459,7 +467,7 @@ __vfs_removexattr_locked(struct dentry *dentry, const char *name,
 	if (!error) {
 		fsnotify_xattr(dentry);
-		evm_inode_post_removexattr(dentry, name);
+		evm_inode_post_removexattr(dentry, name, evm_error);
 	}
 out:

--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -22,16 +22,19 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
 					     size_t xattr_value_len,
 					     struct integrity_iint_cache *iint);
 extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr);
-extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);
+extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid,
+				   int evm_pre_error);
 extern int evm_inode_setxattr(struct dentry *dentry, const char *name,
 			      const void *value, size_t size);
 extern void evm_inode_post_setxattr(struct dentry *dentry,
 				    const char *xattr_name,
 				    const void *xattr_value,
-				    size_t xattr_value_len);
+				    size_t xattr_value_len,
+				    int evm_pre_error);
 extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name);
 extern void evm_inode_post_removexattr(struct dentry *dentry,
-				       const char *xattr_name);
+				       const char *xattr_name,
+				       int evm_pre_error);
 extern int evm_inode_init_security(struct inode *inode,
 				   const struct xattr *xattr_array,
 				   struct xattr *evm);
@@ -66,7 +69,8 @@ static inline int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 	return 0;
 }
-static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
+static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid,
+					  int evm_pre_error)
 {
 	return;
 }
@@ -80,7 +84,8 @@ static inline int evm_inode_setxattr(struct dentry *dentry, const char *name,
 static inline void evm_inode_post_setxattr(struct dentry *dentry,
 					   const char *xattr_name,
 					   const void *xattr_value,
-					   size_t xattr_value_len)
+					   size_t xattr_value_len,
+					   int evm_pre_error)
 {
 	return;
 }
@@ -92,7 +97,8 @@ static inline int evm_inode_removexattr(struct dentry *dentry,
 }
 static inline void evm_inode_post_removexattr(struct dentry *dentry,
-					      const char *xattr_name)
+					      const char *xattr_name,
+					      int evm_pre_error)
 {
 	return;
 }

--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -576,6 +576,7 @@ static void evm_reset_status(struct inode *inode, int bit)
 * @xattr_name: pointer to the affected extended attribute name
 * @xattr_value: pointer to the new extended attribute value
 * @xattr_value_len: pointer to the new extended attribute value length
+ * @evm_pre_error: error returned by evm_inode_setxattr()
 *
 * Update the HMAC stored in 'security.evm' to reflect the change.
 *
@@ -584,7 +585,8 @@ static void evm_reset_status(struct inode *inode, int bit)
 * i_mutex lock.
 */
 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
-			     const void *xattr_value, size_t xattr_value_len)
+			     const void *xattr_value, size_t xattr_value_len,
+			     int evm_pre_error)
 {
 	int is_evm = !strcmp(xattr_name, XATTR_NAME_EVM);
@@ -597,6 +599,9 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 	if (is_evm)
 		return;
+	if (evm_pre_error)
+		return;
 	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
 }
@@ -604,13 +609,15 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
 * @dentry: pointer to the affected dentry
 * @xattr_name: pointer to the affected extended attribute name
+ * @evm_pre_error: error returned by evm_inode_removexattr()
 *
 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
 *
 * No need to take the i_mutex lock here, as this function is called from
 * vfs_removexattr() which takes the i_mutex.
 */
-void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
+void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name,
+				int evm_pre_error)
 {
 	int is_evm = !strcmp(xattr_name, XATTR_NAME_EVM);
@@ -622,6 +629,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 	if (is_evm)
 		return;
+	if (evm_pre_error)
+		return;
 	evm_update_evmxattr(dentry, xattr_name, NULL, 0);
 }
@@ -681,6 +691,7 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
 * @dentry: pointer to the affected dentry
 * @ia_valid: for the UID and GID status
+ * @evm_pre_error: error returned by evm_inode_setattr()
 *
 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
 * changes.
@@ -688,13 +699,17 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 * This function is called from notify_change(), which expects the caller
 * to lock the inode's i_mutex.
 */
-void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
+void evm_inode_post_setattr(struct dentry *dentry, int ia_valid,
+			    int evm_pre_error)
 {
 	if (!evm_key_loaded())
 		return;
 	evm_reset_status(dentry->d_inode, IMA_CHANGE_ATTR);
+	if (evm_pre_error)
+		return;
 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
 		evm_update_evmxattr(dentry, NULL, NULL, 0);
 }