On Fri, 2017-10-27 at 10:41 +0000, Dmitry Kasatkin wrote:
> > @@ -345,7 +350,8 @@ int evm_inode_setxattr(struct dentry *dentry, const
> > char *xattr_name,
> > if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
> > if (!xattr_value_len)
> > return -EINVAL;
> > - if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
> > + if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
> > + xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
> > return -EPERM;
> > }
>
> Also I have an impression that evm_protect_xattr will allow to set
> security.ima for example,
> And it will cause to try to re-calculate hmac over immutable
> signature...
Right, it will allow evm_inode_post_setxattr() to replace the new file
signature with an HMAC.
>
> > return evm_protect_xattr(dentry, xattr_name, xattr_value, @@ -
