Hi Thiago, On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote: > > @@ -326,6 +356,10 @@ int ima_appraise_measurement(enum ima_hooks func, > case INTEGRITY_UNKNOWN: > break; > case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ > + /* It's fine not to have xattrs when using a modsig. */ > + if (try_modsig) > + break; > + /* fall through */ > case INTEGRITY_NOLABEL: /* No security.evm xattr. */ > cause = "missing-HMAC"; > goto out; > @@ -340,6 +374,14 @@ int ima_appraise_measurement(enum ima_hooks func, > rc = xattr_verify(func, iint, xattr_value, xattr_len, &status, > &cause); > > + /* > + * If we have a modsig and either no imasig or the imasig's key isn't > + * known, then try verifying the modsig. > + */ > + if (status != INTEGRITY_PASS && try_modsig && > + (!xattr_value || rc == -ENOKEY)) > + rc = modsig_verify(func, modsig, &status, &cause); EVM protects other security xattrs, not just security.ima, if they exist. As a result, evm_verifyxattr() could pass based on the other security xattrs. Mimi > + > out: > /* > * File signatures on some filesystems can not be properly verified.
