В Wed, 25 Oct 2017 03:43:34 -0700 Matthew Garrett <mjg59@xxxxxxxxxx> пишет: > On Wed, Oct 25, 2017 at 3:13 AM, Mikhail Kurinnoi > <viewizard@xxxxxxxxxxxxx> wrote: > > In case of IMA hash update we will forced to update EVM xattr from > > ima_fix_xattr() with __vfs_setxattr_noperm(), this mean we will not > > call evm_inode_setxattr(), but call evm_inode_post_setxattr(). > > > > Dmitry's patch > > https://sourceforge.net/p/linux-ima/mailman/message/32987311/ > > have work around for this issue. Since, in case we have immutable > > EVM, we should prevent any file data changes (IMA hash update). > > Ah - does this need any more than adding EVM_XATTR_PORTABLE_DIGSIG to > the check in ima_appraise_measurement()? I can't see any other way > that we could get to ima_fix_xattr(). I think, Dmitry put code into process_measurement() just because we already have "mask" here, so, we could check it in easy way. In previous discussion, Mimi asked move all EVM-related stuff connected to this check into EVM module, instead of IMA. Probably, this mean we should use EVM API (evm_verifyxattr(), called from ima_appraise_measurement()), that we already have in order to EVM<->IMA communication. -- Best regards, Mikhail Kurinnoi
