On Wed, Oct 18, 2017 at 2:12 AM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > I'm interested in extending our use of IMA digital signatures to EVM > in order to protect security.capability (and, in the near future, > security.apparmor). However, right now this doesn't seem to quite work > in terms of allowing updates to a running system. We've discussed the > EVM siganture format's use of inode numbers and I think I've got that > sorted (I'll send a patch once I've got a last couple of things > working). > > However, I'm a little confused by how EVM should be working here. Once > EVM is initialised, all EVM attributes will be protected, making it > impossible to write new values to any xattrs covered by EVM unless > IMA_NEW_FILE is set. Sorry, why it is not possible to set xattrs? system can change xattrs and hmac will be recalculated... > But as far as I can tell, IMA_NEW_FILE will only > be set if there's an IMA action that covers the file in question. This > means it's possible to write out security.evm and friends on newly > created files that would be appraised, but not on any other files. Am > I missing something? -- Thanks, Dmitry
