Re: [PATCH -next] evm: Use __vfs_setxattr() to update security.evm

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: Xiu Jianfeng <xiujianfeng@huawei.com>,
	dmitry.kasatkin@gmail.com, paul@paul-moore.com,
	jmorris@namei.org, serge@hallyn.com
Cc: linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH -next] evm: Use __vfs_setxattr() to update security.evm
Date: Wed, 18 Jan 2023 16:45:02 -0500	[thread overview]
Message-ID: <3c34c1e8c74722110e5d7e87146b090791734916.camel@linux.ibm.com> (raw)
In-Reply-To: <20221228030248.94285-1-xiujianfeng@huawei.com>

On Wed, 2022-12-28 at 11:02 +0800, Xiu Jianfeng wrote:
> Currently it uses __vfs_setxattr_noperm() to update "security.evm",
> however there are two lsm hooks(inode_post_setxattr and inode_setsecurity)
> being called inside this function, which don't make any sense for xattr
> "security.evm", because the handlers of these two hooks, such as selinux
> and smack, only care about their own xattr.

Updating the security.ima hash triggers re-calculating and writing the
security.evm HMAC.  Refer to evm_inode_post_setxattr().

Mimi

> 
> On the other hand, there is a literally rather than actually cyclical
> callchain as follows:
> security_inode_post_setxattr
>   ->evm_inode_post_setxattr
>     ->evm_update_evmxattr
>       ->__vfs_setxattr_noperm
>         ->security_inode_post_setxattr
> 
> So use __vfs_setxattr() to update "security.evm".
> 
> Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
> ---
>  security/integrity/evm/evm_crypto.c   | 7 +++----
>  security/integrity/ima/ima_appraise.c | 8 ++++----
>  2 files changed, 7 insertions(+), 8 deletions(-)
> 
> diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
> index fa5ff13fa8c9..d8275dfa49ef 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -376,10 +376,9 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
>  			   xattr_value_len, &data);
>  	if (rc == 0) {
>  		data.hdr.xattr.sha1.type = EVM_XATTR_HMAC;
> -		rc = __vfs_setxattr_noperm(&init_user_ns, dentry,
> -					   XATTR_NAME_EVM,
> -					   &data.hdr.xattr.data[1],
> -					   SHA1_DIGEST_SIZE + 1, 0);
> +		rc = __vfs_setxattr(&init_user_ns, dentry, d_inode(dentry),
> +				    XATTR_NAME_EVM, &data.hdr.xattr.data[1],
> +				    SHA1_DIGEST_SIZE + 1, 0);
>  	} else if (rc == -ENODATA && (inode->i_opflags & IOP_XATTR)) {
>  		rc = __vfs_removexattr(&init_user_ns, dentry, XATTR_NAME_EVM);
>  	}
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index ee6f7e237f2e..d2de9dc6c345 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -98,10 +98,10 @@ static int ima_fix_xattr(struct dentry *dentry,
>  		iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
>  		iint->ima_hash->xattr.ng.algo = algo;
>  	}
> -	rc = __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_IMA,
> -				   &iint->ima_hash->xattr.data[offset],
> -				   (sizeof(iint->ima_hash->xattr) - offset) +
> -				   iint->ima_hash->length, 0);
> +	rc = __vfs_setxattr(&init_user_ns, dentry, d_inode(dentry),
> +			    XATTR_NAME_IMA, &iint->ima_hash->xattr.data[offset],
> +			    (sizeof(iint->ima_hash->xattr) - offset) +
> +			    iint->ima_hash->length, 0);
>  	return rc;
>  }
>

next prev parent reply	other threads:[~2023-01-18 21:45 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-28  3:02 [PATCH -next] evm: Use __vfs_setxattr() to update security.evm Xiu Jianfeng
2023-01-18 21:45 ` Mimi Zohar [this message]
2023-01-30  1:53   ` Guozihua (Scott)
2023-01-31 11:31     ` Mimi Zohar
2023-02-01  6:42       ` xiujianfeng
2023-02-01  7:10       ` Guozihua (Scott)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3c34c1e8c74722110e5d7e87146b090791734916.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    --cc=xiujianfeng@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).