Hi Mimi I found a problem in the calculation of the EVM digest. If an xattr is in the security domain, vfs_getxattr() calls xattr_getsecurity(), which is implemented by LSMs. vfs_getxattr_alloc() instead calls directly the filesystem function to read xattrs. The problem arises for example when you have a file with a portable signature on the correct SELinux label (with \0) and you set security.selinux manually: setfattr -n security.selinux -v "system_u:object_r:bin_t:s0" cat Although the length passed is 26 bytes (without \0), you get: # attr -l cat Attribute "selinux" has a 27 byte value for cat which includes \0. >From user space, evmctl does not complain (the signature is ok) because it calculates the EVM digest with \0, but EVM verification fails (because it calculates the digest without \0). Should this problem be fixed? Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli
