Re: [RFC] EVM: Add support for portable signature format

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Oct 30, 2017 at 12:38 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> On Fri, 2017-10-27 at 10:41 +0000, Dmitry Kasatkin wrote:
>
>> > @@ -345,7 +350,8 @@ int evm_inode_setxattr(struct dentry *dentry, const
>> > char *xattr_name,
>> >     if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
>> >             if (!xattr_value_len)
>> >                     return -EINVAL;
>> > -           if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
>> > +           if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
>> > +               xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
>> >                     return -EPERM;
>> >     }
>>
>> Also I have an impression that evm_protect_xattr will allow to set
>> security.ima for example,
>> And it will cause to try to re-calculate hmac over immutable
>> signature...
>
> Right, it will allow evm_inode_post_setxattr() to replace the new file
> signature with an HMAC.

evm_inode_setxattr() will call evm_protect_xattr(), which will call
evm_verify_xattr(). This will return INTEGRITY_PASS_IMMUTABLE, which
will result in evm_protect_xattr() returning -EPERM, so we never get
to inode_post_setxattr().
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux