evm: Allow xattr/attr operations for portable signatures
If files with portable signatures are copied from one location to another or are extracted from an archive, verification can temporarily fail until all xattrs/attrs are set in the destination. Only portable signatures may be moved or copied from one file to another, as they don't depend on system-specific information such as the inode generation. Instead portable signatures must include security.ima. Unlike other security.evm types, EVM portable signatures are also immutable. Thus, it wouldn't be a problem to allow xattr/attr operations when verification fails, as portable signatures will never be replaced with the HMAC on possibly corrupted xattrs/attrs. This patch first introduces a new integrity status called INTEGRITY_FAIL_IMMUTABLE, that allows callers of evm_verify_current_integrity() to detect that a portable signature didn't pass verification and then adds an exception in evm_protect_xattr() and evm_inode_setattr() for this status and returns 0 instead of -EPERM. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
parent
4a804b8a45
commit
cdef685be5
@ -13,6 +13,7 @@ enum integrity_status {
|
||||
INTEGRITY_PASS = 0,
|
||||
INTEGRITY_PASS_IMMUTABLE,
|
||||
INTEGRITY_FAIL,
|
||||
INTEGRITY_FAIL_IMMUTABLE,
|
||||
INTEGRITY_NOLABEL,
|
||||
INTEGRITY_NOXATTRS,
|
||||
INTEGRITY_UNKNOWN,
|
||||
|
@ -27,7 +27,8 @@
|
||||
int evm_initialized;
|
||||
|
||||
static const char * const integrity_status_msg[] = {
|
||||
"pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
|
||||
"pass", "pass_immutable", "fail", "fail_immutable", "no_label",
|
||||
"no_xattrs", "unknown"
|
||||
};
|
||||
int evm_hmac_attrs;
|
||||
|
||||
@ -155,7 +156,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
|
||||
enum integrity_status evm_status = INTEGRITY_PASS;
|
||||
struct evm_digest digest;
|
||||
struct inode *inode;
|
||||
int rc, xattr_len;
|
||||
int rc, xattr_len, evm_immutable = 0;
|
||||
|
||||
if (iint && (iint->evm_status == INTEGRITY_PASS ||
|
||||
iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
|
||||
@ -200,8 +201,10 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
|
||||
if (rc)
|
||||
rc = -EINVAL;
|
||||
break;
|
||||
case EVM_IMA_XATTR_DIGSIG:
|
||||
case EVM_XATTR_PORTABLE_DIGSIG:
|
||||
evm_immutable = 1;
|
||||
fallthrough;
|
||||
case EVM_IMA_XATTR_DIGSIG:
|
||||
/* accept xattr with non-empty signature field */
|
||||
if (xattr_len <= sizeof(struct signature_v2_hdr)) {
|
||||
evm_status = INTEGRITY_FAIL;
|
||||
@ -238,9 +241,14 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
|
||||
break;
|
||||
}
|
||||
|
||||
if (rc)
|
||||
evm_status = (rc == -ENODATA) ?
|
||||
INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
|
||||
if (rc) {
|
||||
if (rc == -ENODATA)
|
||||
evm_status = INTEGRITY_NOXATTRS;
|
||||
else if (evm_immutable)
|
||||
evm_status = INTEGRITY_FAIL_IMMUTABLE;
|
||||
else
|
||||
evm_status = INTEGRITY_FAIL;
|
||||
}
|
||||
out:
|
||||
if (iint)
|
||||
iint->evm_status = evm_status;
|
||||
@ -380,6 +388,14 @@ out:
|
||||
if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
|
||||
evm_status == INTEGRITY_UNKNOWN))
|
||||
return 0;
|
||||
|
||||
/*
|
||||
* Writing other xattrs is safe for portable signatures, as portable
|
||||
* signatures are immutable and can never be updated.
|
||||
*/
|
||||
if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
|
||||
return 0;
|
||||
|
||||
if (evm_status != INTEGRITY_PASS)
|
||||
integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
|
||||
dentry->d_name.name, "appraise_metadata",
|
||||
@ -553,8 +569,13 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
|
||||
if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
|
||||
return 0;
|
||||
evm_status = evm_verify_current_integrity(dentry);
|
||||
/*
|
||||
* Writing attrs is safe for portable signatures, as portable signatures
|
||||
* are immutable and can never be updated.
|
||||
*/
|
||||
if ((evm_status == INTEGRITY_PASS) ||
|
||||
(evm_status == INTEGRITY_NOXATTRS) ||
|
||||
(evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
|
||||
(evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
|
||||
evm_status == INTEGRITY_UNKNOWN)))
|
||||
return 0;
|
||||
|
@ -416,6 +416,8 @@ int ima_appraise_measurement(enum ima_hooks func,
|
||||
case INTEGRITY_NOLABEL: /* No security.evm xattr. */
|
||||
cause = "missing-HMAC";
|
||||
goto out;
|
||||
case INTEGRITY_FAIL_IMMUTABLE:
|
||||
fallthrough;
|
||||
case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
|
||||
cause = "invalid-HMAC";
|
||||
goto out;
|
||||
|
Loading…
Reference in New Issue
Block a user