Hi Roberto, "if check fails" in the Subject line is unnecessary. On Fri, 2020-09-04 at 11:26 +0200, Roberto Sassu wrote: > If files with portable signatures are copied from one location to another > or are extracted from an archive, verification can temporarily fail until > all xattrs/attrs are set in the destination. Only portable signatures may > be moved or copied from one file to another, as they don't depend on > system-specific information such as the inode generation. Instead portable > signatures must include security.ima. > > Unlike other security.evm types, EVM portable signatures are also > immutable. Thus, it wouldn't be a problem to allow xattr/attr operations > when verification fails, as portable signatures will never be replaced with > an HMAC on possibly corrupted xattrs/attrs. > > This patch first introduces a new integrity status called > INTEGRITY_FAIL_IMMUTABLE, that allows callers of > evm_verify_current_integrity() to detect that a portable signature didn't > pass verification and then adds an exception in evm_protect_xattr() and > evm_inode_setattr() for this status and returns 0 instead of -EPERM. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> < snip > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c > index 05be1ad3e6f3..a5dab1ac9374 100644 > --- a/security/integrity/evm/evm_main.c > +++ b/security/integrity/evm/evm_main.c > > @@ -358,6 +364,12 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, > -EPERM, 0); > } > out: > + /* Writing other xattrs is safe for portable signatures, as portable > + * signatures are immutable and can never be updated. > + */ This is the second time I'm seeing this comment format style. Why? What changed? Mimi > + if (evm_status == INTEGRITY_FAIL_IMMUTABLE) > + return 0; > + > if (evm_status != INTEGRITY_PASS) > integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), > dentry->d_name.name, "appraise_metadata",
