Commit cdef685b authored by Roberto Sassu's avatar Roberto Sassu Committed by Mimi Zohar
Browse files

evm: Allow xattr/attr operations for portable signatures 



If files with portable signatures are copied from one location to another
or are extracted from an archive, verification can temporarily fail until
all xattrs/attrs are set in the destination. Only portable signatures may
be moved or copied from one file to another, as they don't depend on
system-specific information such as the inode generation. Instead portable
signatures must include security.ima.

Unlike other security.evm types, EVM portable signatures are also
immutable. Thus, it wouldn't be a problem to allow xattr/attr operations
when verification fails, as portable signatures will never be replaced with
the HMAC on possibly corrupted xattrs/attrs.

This patch first introduces a new integrity status called
INTEGRITY_FAIL_IMMUTABLE, that allows callers of
evm_verify_current_integrity() to detect that a portable signature didn't
pass verification and then adds an exception in evm_protect_xattr() and
evm_inode_setattr() for this status and returns 0 instead of -EPERM.

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 4a804b8a

include/linux/integrity.h

+1 −0
Original line number Diff line number Diff line
@@ -13,6 +13,7 @@ enum integrity_status { 
	INTEGRITY_PASS = 0,

	INTEGRITY_PASS_IMMUTABLE,

	INTEGRITY_FAIL,

	INTEGRITY_FAIL_IMMUTABLE,

	INTEGRITY_NOLABEL,

	INTEGRITY_NOXATTRS,

	INTEGRITY_UNKNOWN,

security/integrity/evm/evm_main.c

+27 −6
Original line number Diff line number Diff line
@@ -27,7 +27,8 @@ 
int evm_initialized;



static const char * const integrity_status_msg[] = {

	"pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"

	"pass", "pass_immutable", "fail", "fail_immutable", "no_label",

	"no_xattrs", "unknown"

};

int evm_hmac_attrs;
@@ -155,7 +156,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, 
	enum integrity_status evm_status = INTEGRITY_PASS;

	struct evm_digest digest;

	struct inode *inode;

	int rc, xattr_len;

	int rc, xattr_len, evm_immutable = 0;



	if (iint && (iint->evm_status == INTEGRITY_PASS ||

		     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
@@ -200,8 +201,10 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, 
		if (rc)

			rc = -EINVAL;

		break;

	case EVM_IMA_XATTR_DIGSIG:

	case EVM_XATTR_PORTABLE_DIGSIG:

		evm_immutable = 1;

		fallthrough;

	case EVM_IMA_XATTR_DIGSIG:

		/* accept xattr with non-empty signature field */

		if (xattr_len <= sizeof(struct signature_v2_hdr)) {

			evm_status = INTEGRITY_FAIL;
@@ -238,9 +241,14 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, 
		break;

	}



	if (rc)

		evm_status = (rc == -ENODATA) ?

				INTEGRITY_NOXATTRS : INTEGRITY_FAIL;

	if (rc) {

		if (rc == -ENODATA)

			evm_status = INTEGRITY_NOXATTRS;

		else if (evm_immutable)

			evm_status = INTEGRITY_FAIL_IMMUTABLE;

		else

			evm_status = INTEGRITY_FAIL;

	}

out:

	if (iint)

		iint->evm_status = evm_status;
@@ -380,6 +388,14 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 
	if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||

	    evm_status == INTEGRITY_UNKNOWN))

		return 0;



	/*

	 * Writing other xattrs is safe for portable signatures, as portable

	 * signatures are immutable and can never be updated.

	 */

	if (evm_status == INTEGRITY_FAIL_IMMUTABLE)

		return 0;



	if (evm_status != INTEGRITY_PASS)

		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),

				    dentry->d_name.name, "appraise_metadata",
@@ -553,8 +569,13 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 
	if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))

		return 0;

	evm_status = evm_verify_current_integrity(dentry);

	/*

	 * Writing attrs is safe for portable signatures, as portable signatures

	 * are immutable and can never be updated.

	 */

	if ((evm_status == INTEGRITY_PASS) ||

	    (evm_status == INTEGRITY_NOXATTRS) ||

	    (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||

	    (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||

	     evm_status == INTEGRITY_UNKNOWN)))

		return 0;

security/integrity/ima/ima_appraise.c

+2 −0
Original line number Diff line number Diff line
@@ -416,6 +416,8 @@ int ima_appraise_measurement(enum ima_hooks func, 
	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */

		cause = "missing-HMAC";

		goto out;

	case INTEGRITY_FAIL_IMMUTABLE:

		fallthrough;

	case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */

		cause = "invalid-HMAC";

		goto out;