> -----Original Message----- > From: Mikhail Kurinnoi [mailto:viewizard@xxxxxxxxx] On Behalf Of Mikhail > Kurinnoi > Sent: 25 October 2017 14:25 > To: Matthew Garrett <mjg59@xxxxxxxxxx> > Cc: linux-integrity <linux-integrity@xxxxxxxxxxxxxxx>; Mimi Zohar > <zohar@xxxxxxxxxxxxxxxxxx>; Dmitry Kasatkin > <dmitry.kasatkin@xxxxxxxxxx> > Subject: Re: [PATCH V3] EVM: Add support for portable signature format > > В Wed, 25 Oct 2017 03:43:34 -0700 > Matthew Garrett <mjg59@xxxxxxxxxx> пишет: > > > On Wed, Oct 25, 2017 at 3:13 AM, Mikhail Kurinnoi > > <viewizard@xxxxxxxxxxxxx> wrote: > > > In case of IMA hash update we will forced to update EVM xattr from > > > ima_fix_xattr() with __vfs_setxattr_noperm(), this mean we will not > > > call evm_inode_setxattr(), but call evm_inode_post_setxattr(). > > > > > > Dmitry's patch > > > https://sourceforge.net/p/linux-ima/mailman/message/32987311/ > > > have work around for this issue. Since, in case we have immutable > > > EVM, we should prevent any file data changes (IMA hash update). > > > > Ah - does this need any more than adding EVM_XATTR_PORTABLE_DIGSIG > to > > the check in ima_appraise_measurement()? I can't see any other way > > that we could get to ima_fix_xattr(). > > I think, Dmitry put code into process_measurement() just because we > already have "mask" here, so, we could check it in easy way. > > In previous discussion, Mimi asked move all EVM-related stuff connected to > this check into EVM module, instead of IMA. Probably, this mean we should > use EVM API (evm_verifyxattr(), called from ima_appraise_measurement()), > that we already have in order to EVM<->IMA communication. > > [DK] let me check/think this carefully later today. > > -- > Best regards, > Mikhail Kurinnoi
