On Mon, Sep 26, 2022 at 11:24 AM Christian Brauner <brauner@xxxxxxxxxx> wrote: > > The security_inode_post_setxattr() hook is used by security modules to > update their own security.* xattrs. Consequently none of the security > modules operate on posix acls. So we don't need an additional security > hook when post setting posix acls. > > However, the integrity subsystem wants to be informed about posix acl > changes and specifically evm to update their hashes when the xattrs > change. The callchain for evm_inode_post_setxattr() is: > > -> evm_inode_post_setxattr() > -> evm_update_evmxattr() > -> evm_calc_hmac() > -> evm_calc_hmac_or_hash() > > and evm_cacl_hmac_or_hash() walks the global list of protected xattr > names evm_config_xattrnames. This global list can be modified via > /sys/security/integrity/evm/evm_xattrs. The write to "evm_xattrs" is > restricted to security.* xattrs and the default xattrs in > evm_config_xattrnames only contains security.* xattrs as well. > > So the actual value for posix acls is currently completely irrelevant > for evm during evm_inode_post_setxattr() and frankly it should stay that > way in the future to not cause the vfs any more headaches. But if the > actual posix acl values matter then evm shouldn't operate on the binary > void blob and try to hack around in the uapi struct anyway. Instead it > should then in the future add a dedicated hook which takes a struct > posix_acl argument passing the posix acls in the proper vfs format. > > For now it is sufficient to make evm_inode_post_set_acl() a wrapper > around evm_inode_post_setxattr() not passing any actual values down. > This will still cause the hashes to be updated as before. > > Signed-off-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx> > --- > > Notes: > /* v2 */ > unchanged > > fs/posix_acl.c | 5 ++++- > include/linux/evm.h | 13 +++++++++++++ > 2 files changed, 17 insertions(+), 1 deletion(-) Reviewed-by: Paul Moore <paul@xxxxxxxxxxxxxx> -- paul-moore.com
