iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cdef685be5
linux/security
History
Roberto Sassu cdef685be5 evm: Allow xattr/attr operations for portable signatures 
If files with portable signatures are copied from one location to another
or are extracted from an archive, verification can temporarily fail until
all xattrs/attrs are set in the destination. Only portable signatures may
be moved or copied from one file to another, as they don't depend on
system-specific information such as the inode generation. Instead portable
signatures must include security.ima.

Unlike other security.evm types, EVM portable signatures are also
immutable. Thus, it wouldn't be a problem to allow xattr/attr operations
when verification fails, as portable signatures will never be replaced with
the HMAC on possibly corrupted xattrs/attrs.

This patch first introduces a new integrity status called
INTEGRITY_FAIL_IMMUTABLE, that allows callers of
evm_verify_current_integrity() to detect that a portable signature didn't
pass verification and then adds an exception in evm_protect_xattr() and
evm_inode_setattr() for this status and returns 0 instead of -EPERM.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2021-05-21 12:48:39 -04:00
..
apparmor Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2021-05-02 09:14:01 -07:00
bpf bpf: Implement task local storage 2020-11-06 08:08:37 -08:00
integrity evm: Allow xattr/attr operations for portable signatures 2021-05-21 12:48:39 -04:00
keys trusted-keys: match tpm_get_ops on all return paths 2021-05-12 22:36:37 +03:00
landlock landlock: Enable user space to infer supported features 2021-04-22 12:22:11 -07:00
loadpin LSM: Add "contents" flag to kernel_read_file hook 2020-10-05 13:37:03 +02:00
lockdown Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2020-06-02 17:36:24 -07:00
safesetid LSM: SafeSetID: Fix code specification by scripts/checkpatch.pl 2021-04-26 16:36:50 -07:00
selinux Add Landlock, a new LSM from Mickaël Salaün <mic@linux.microsoft.com> 2021-05-01 18:50:44 -07:00
smack Add Landlock, a new LSM from Mickaël Salaün <mic@linux.microsoft.com> 2021-05-01 18:50:44 -07:00
tomoyo tomoyo: don't special case PF_IO_WORKER for PF_KTHREAD 2021-03-28 13:11:29 +09:00
yama task_work: cleanup notification modes 2020-10-17 15:05:30 -06:00
commoncap.c Miscellaneous minor fixes for v5.13. 2021-04-27 19:32:55 -07:00
device_cgroup.c device_cgroup: Fix RCU list debugging warning 2020-08-20 11:25:03 -07:00
inode.c Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
Kconfig landlock: Set up the security framework and manage credentials 2021-04-22 12:22:10 -07:00
Kconfig.hardening kasan: remove redundant config option 2021-04-16 16:10:36 -07:00
lsm_audit.c make dump_common_audit_data() safe to be called from RCU pathwalk 2021-01-16 15:12:08 -05:00
Makefile landlock: Add object management 2021-04-22 12:22:10 -07:00
min_addr.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
security.c Add Landlock, a new LSM from Mickaël Salaün <mic@linux.microsoft.com> 2021-05-01 18:50:44 -07:00