> >> Admins should note that creating portable signatures that do not include > >> the security.ima xattr would allow these signatures to be applied to any > >> file with the same owners and security labels, which would allow > >> subversion of EVM's security guarantees. The kernel does not attempt to > >> enforce this. > > > > As much as possible IMA and EVM should work independently of each > > other. But in this case, I think we need to blur the lines a bit. > > > > Currently, before writing a new security.evm value, the existing > > security.evm value is verified. To do this it has to read the > > security xattrs to calculate the hash/hmac. How hard would it really > > be to verify that a security.ima xattr exists, before writing this new > > EVM signature? How hard would it be to make sure that security.ima is > > included in the calculation on verification? > > I don't think it would be especially hard to ensure that security.ima > is present if the portable digsig format is used, but as you say it > would blur the lines a little. I'd rather err on the side of caution, preventing an unnecessary possible attack. In this case, I think it is warranted.
