On Wed, 2021-05-05 at 13:29 +0200, Roberto Sassu wrote: > When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on > metadata. Its main purpose is to allow users to freely set metadata when it > is protected by a portable signature, until an HMAC key is loaded. > > However, callers of evm_verifyxattr() are not notified about metadata > changes and continue to rely on the last status returned by the function. > For example IMA, since it caches the appraisal result, will not call again > evm_verifyxattr() until the appraisal flags are cleared, and will grant > access to the file even if there was a metadata operation that made the > portable signature invalid. > > This patch introduces evm_status_revalidate(), which callers of > evm_verifyxattr() can use in their xattr hooks to determine whether > re-validation is necessary and to do the proper actions. IMA calls it in > its xattr hooks to reset the appraisal flags, so that the EVM status is > re-evaluated after a metadata operation. > > Lastly, this patch also adds a call to evm_reset_status() in > evm_inode_post_setattr() to invalidate the cached EVM status after a > setattr operation. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> I'm really sorry for the patch churn, but could you rename evm_status_revalidate() to evm_revalidate_status(). Otherwise, Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> thanks, Mimi
