On Mon, Oct 30, 2017 at 12:30 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> On Fri, 2017-10-27 at 10:27 +0000, Dmitry Kasatkin wrote:
>
>> > @@ -345,7 +350,8 @@ int evm_inode_setxattr(struct dentry *dentry, const
>> > char *xattr_name,
>> > if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
>> > if (!xattr_value_len)
>> > return -EINVAL;
>> > - if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
>> > + if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
>> > + xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
>> > return -EPERM;
>> > }
>> > return evm_protect_xattr(dentry, xattr_name, xattr_value, @@ -
>> > 432,6 +438,7 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr
>> > *attr)
>> > return 0;
>> > evm_status = evm_verify_current_integrity(dentry);
>> > if ((evm_status == INTEGRITY_PASS) ||
>> > + (evm_status == INTEGRITY_PASS_IMMUTABLE) ||
>> > (evm_status == INTEGRITY_NOXATTRS))
>> > return 0;
>>
>> Something is wrong here?
>> When integrity verification pass, this code WILL ALLOW to change attribute.
>> But it is not possible... next time integrity verification will fail?
>> Or I miss something?
>
> Right, it will allow the file metadata change. The bigger problem is
> that evm_inode_post_setattr() will replace the signature with an HMAC.
It will allow the metadata update as long as it's not security.evm or
one of the evm protected xattrs, which means that
evm_inode_post_setxattr() will return rather than calling
evm_update_evmxattr().
