Hi Roberto, On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote: > When a file is being created, LSMs can set the initial label with the > inode_init_security hook. If no HMAC key is loaded, the new file will have > LSM xattrs but not the HMAC. > > Unfortunately, EVM will deny any further metadata operation on new files, > as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error. This > would limit the usability of EVM when only a public key is loaded, as > commands such as cp or tar with the option to preserve xattrs won't work. > > Ignoring this error won't be an issue if no HMAC key is loaded, as the > inode is locked until the post hook, and EVM won't calculate the HMAC on > metadata that wasn't previously verified. Thus this patch checks if an > HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL. I'm not sure what problem this patch is trying to solve. evm_protect_xattr() is only called by evm_inode_setxattr() and evm_inode_removexattr(), which first checks whether EVM_ALLOW_METADATA_WRITES is enabled. Mimi
