Re: [PATCH] evm: allow metadata changes for inode without xattr support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2017-11-03 at 20:06 +0300, Mikhail Kurinnoi wrote:
> В Fri, 03 Nov 2017 12:54:08 -0400
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> пишет:
> 
> > On Fri, 2017-11-03 at 10:26 +0300, Mikhail Kurinnoi wrote:
> > > This patch provide changes in order to allow metadata changes for
> > > inode without xattr support.
> > > 
> > > 
> > > Signed-off-by: Mikhail Kurinnoi <viewizard@xxxxxxxxxxxxx>
> > > 
> > >  security/integrity/evm/evm_main.c | 21 ++++++++++++---------
> > >  1 file changed, 12 insertions(+), 9 deletions(-)
> > > 
> > > diff --git a/security/integrity/evm/evm_main.c
> > > b/security/integrity/evm/evm_main.c index
> > > 9826c02e2db8..51151c43433d 100644 ---
> > > a/security/integrity/evm/evm_main.c +++
> > > b/security/integrity/evm/evm_main.c @@ -294,8 +294,7 @@ static int
> > > evm_protect_xattr(struct dentry *dentry, const char *xattr_name, if
> > > (!posix_xattr_acl(xattr_name)) return 0;
> > >  		evm_status = evm_verify_current_integrity(dentry);
> > > -		if ((evm_status == INTEGRITY_PASS) ||
> > > -		    (evm_status == INTEGRITY_NOXATTRS))
> > > +		if (evm_status == INTEGRITY_NOXATTRS)
> > >  			return 0;
> > >  		goto out;
> > >  	}
> > > @@ -319,12 +318,15 @@ static int evm_protect_xattr(struct dentry
> > > *dentry, const char *xattr_name, -EPERM, 0);
> > >  	}
> > >  out:
> > > -	if (evm_status != INTEGRITY_PASS)
> > > -		integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
> > > d_backing_inode(dentry),
> > > -				    dentry->d_name.name,
> > > "appraise_metadata",
> > > -
> > > integrity_status_msg[evm_status],
> > > -				    -EPERM, 0);
> > > -	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
> > > +	if ((evm_status == INTEGRITY_PASS) ||
> > > +	    (evm_status == INTEGRITY_UNKNOWN))
> > > +		return 0;
> > > +
> > > +	integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
> > > d_backing_inode(dentry),
> > > +			    dentry->d_name.name,
> > > "appraise_metadata",
> > > +			    integrity_status_msg[evm_status],
> > > +			    -EPERM, 0);
> > > +	return -EPERM;
> > >  }
> > > 
> > >  /**
> > > @@ -435,7 +437,8 @@ int evm_inode_setattr(struct dentry *dentry,
> > > struct iattr *attr) return 0;
> > >  	evm_status = evm_verify_current_integrity(dentry);
> > >  	if ((evm_status == INTEGRITY_PASS) ||
> > > -	    (evm_status == INTEGRITY_NOXATTRS))
> > > +	    (evm_status == INTEGRITY_NOXATTRS) ||
> > > +	    (evm_status == INTEGRITY_UNKNOWN))
> > >  		return 0;
> > >  	integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
> > > d_backing_inode(dentry), dentry->d_name.name, "appraise_metadata",
> > >   
> > 
> > Since this change is limited to setattr, perhaps it would be simpler
> > to test the i_opflags directly, without modifying evm_protect_xattr().
> 
> In case of set/remove xattr (evm_inode_setxattr(),
> evm_inode_removexattr()), evm should not interact fs module work, that
> will provide proper error code.
> As I see in __vfs_setxattr_noperm(), error code could be -EOPNOTSUPP
> or -EIO, but evm will override it by error code -EPERM. I think, this is
> wrong. If we don't have xattr support, let fs module handle the error
> code.

The patch description described a specific reason for the change.  If
there is another reason for the change, then either include it in the
patch description or provide a separate patch.

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux