В Fri, 03 Nov 2017 12:54:08 -0400 Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> пишет: > On Fri, 2017-11-03 at 10:26 +0300, Mikhail Kurinnoi wrote: > > This patch provide changes in order to allow metadata changes for > > inode without xattr support. > > > > > > Signed-off-by: Mikhail Kurinnoi <viewizard@xxxxxxxxxxxxx> > > > > security/integrity/evm/evm_main.c | 21 ++++++++++++--------- > > 1 file changed, 12 insertions(+), 9 deletions(-) > > > > diff --git a/security/integrity/evm/evm_main.c > > b/security/integrity/evm/evm_main.c index > > 9826c02e2db8..51151c43433d 100644 --- > > a/security/integrity/evm/evm_main.c +++ > > b/security/integrity/evm/evm_main.c @@ -294,8 +294,7 @@ static int > > evm_protect_xattr(struct dentry *dentry, const char *xattr_name, if > > (!posix_xattr_acl(xattr_name)) return 0; > > evm_status = evm_verify_current_integrity(dentry); > > - if ((evm_status == INTEGRITY_PASS) || > > - (evm_status == INTEGRITY_NOXATTRS)) > > + if (evm_status == INTEGRITY_NOXATTRS) > > return 0; > > goto out; > > } > > @@ -319,12 +318,15 @@ static int evm_protect_xattr(struct dentry > > *dentry, const char *xattr_name, -EPERM, 0); > > } > > out: > > - if (evm_status != INTEGRITY_PASS) > > - integrity_audit_msg(AUDIT_INTEGRITY_METADATA, > > d_backing_inode(dentry), > > - dentry->d_name.name, > > "appraise_metadata", > > - > > integrity_status_msg[evm_status], > > - -EPERM, 0); > > - return evm_status == INTEGRITY_PASS ? 0 : -EPERM; > > + if ((evm_status == INTEGRITY_PASS) || > > + (evm_status == INTEGRITY_UNKNOWN)) > > + return 0; > > + > > + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, > > d_backing_inode(dentry), > > + dentry->d_name.name, > > "appraise_metadata", > > + integrity_status_msg[evm_status], > > + -EPERM, 0); > > + return -EPERM; > > } > > > > /** > > @@ -435,7 +437,8 @@ int evm_inode_setattr(struct dentry *dentry, > > struct iattr *attr) return 0; > > evm_status = evm_verify_current_integrity(dentry); > > if ((evm_status == INTEGRITY_PASS) || > > - (evm_status == INTEGRITY_NOXATTRS)) > > + (evm_status == INTEGRITY_NOXATTRS) || > > + (evm_status == INTEGRITY_UNKNOWN)) > > return 0; > > integrity_audit_msg(AUDIT_INTEGRITY_METADATA, > > d_backing_inode(dentry), dentry->d_name.name, "appraise_metadata", > > > > Since this change is limited to setattr, perhaps it would be simpler > to test the i_opflags directly, without modifying evm_protect_xattr(). In case of set/remove xattr (evm_inode_setxattr(), evm_inode_removexattr()), evm should not interact fs module work, that will provide proper error code. As I see in __vfs_setxattr_noperm(), error code could be -EOPNOTSUPP or -EIO, but evm will override it by error code -EPERM. I think, this is wrong. If we don't have xattr support, let fs module handle the error code. -- Best regards, Mikhail Kurinnoi
