On Mon, 2017-10-30 at 13:21 +0000, Matthew Garrett wrote:
> On Mon, Oct 30, 2017 at 12:30 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> > On Fri, 2017-10-27 at 10:27 +0000, Dmitry Kasatkin wrote:
> >
> >> > @@ -345,7 +350,8 @@ int evm_inode_setxattr(struct dentry *dentry, const
> >> > char *xattr_name,
> >> > if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
> >> > if (!xattr_value_len)
> >> > return -EINVAL;
> >> > - if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
> >> > + if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
> >> > + xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
> >> > return -EPERM;
> >> > }
> >> > return evm_protect_xattr(dentry, xattr_name, xattr_value, @@ -
> >> > 432,6 +438,7 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr
> >> > *attr)
> >> > return 0;
> >> > evm_status = evm_verify_current_integrity(dentry);
> >> > if ((evm_status == INTEGRITY_PASS) ||
> >> > + (evm_status == INTEGRITY_PASS_IMMUTABLE) ||
> >> > (evm_status == INTEGRITY_NOXATTRS))
> >> > return 0;
> >>
> >> Something is wrong here?
> >> When integrity verification pass, this code WILL ALLOW to change attribute.
> >> But it is not possible... next time integrity verification will fail?
> >> Or I miss something?
> >
> > Right, it will allow the file metadata change. The bigger problem is
> > that evm_inode_post_setattr() will replace the signature with an HMAC.
>
> It will allow the metadata update as long as it's not security.evm or
> one of the evm protected xattrs, which means that
> evm_inode_post_setxattr() will return rather than calling
> evm_update_evmxattr().
We're discussing setattr, not setxattr here. Any file metadata change
(eg. chmod, chown, etc) will result in the file signature being
converted to an HMAC.
