Re: [PATCH] evm: allow metadata changes for inode without xattr support

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> · Fri, 03 Nov 2017 12:54:08 -0400

On Fri, 2017-11-03 at 10:26 +0300, Mikhail Kurinnoi wrote:
> This patch provide changes in order to allow metadata changes for
> inode without xattr support.
> 
> 
> Signed-off-by: Mikhail Kurinnoi <viewizard@xxxxxxxxxxxxx>
> 
>  security/integrity/evm/evm_main.c | 21 ++++++++++++---------
>  1 file changed, 12 insertions(+), 9 deletions(-)
> 
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 9826c02e2db8..51151c43433d 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -294,8 +294,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
>  		if (!posix_xattr_acl(xattr_name))
>  			return 0;
>  		evm_status = evm_verify_current_integrity(dentry);
> -		if ((evm_status == INTEGRITY_PASS) ||
> -		    (evm_status == INTEGRITY_NOXATTRS))
> +		if (evm_status == INTEGRITY_NOXATTRS)
>  			return 0;
>  		goto out;
>  	}
> @@ -319,12 +318,15 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
>  				    -EPERM, 0);
>  	}
>  out:
> -	if (evm_status != INTEGRITY_PASS)
> -		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
> -				    dentry->d_name.name, "appraise_metadata",
> -				    integrity_status_msg[evm_status],
> -				    -EPERM, 0);
> -	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
> +	if ((evm_status == INTEGRITY_PASS) ||
> +	    (evm_status == INTEGRITY_UNKNOWN))
> +		return 0;
> +
> +	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
> +			    dentry->d_name.name, "appraise_metadata",
> +			    integrity_status_msg[evm_status],
> +			    -EPERM, 0);
> +	return -EPERM;
>  }
> 
>  /**
> @@ -435,7 +437,8 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
>  		return 0;
>  	evm_status = evm_verify_current_integrity(dentry);
>  	if ((evm_status == INTEGRITY_PASS) ||
> -	    (evm_status == INTEGRITY_NOXATTRS))
> +	    (evm_status == INTEGRITY_NOXATTRS) ||
> +	    (evm_status == INTEGRITY_UNKNOWN))
>  		return 0;
>  	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
>  			    dentry->d_name.name, "appraise_metadata",
> 

Since this change is limited to setattr, perhaps it would be simpler
to test the i_opflags directly, without modifying evm_protect_xattr().

Mimi