Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp189365ybm;
        Mon, 20 May 2019 14:22:01 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxsTgfUk4iyMx+zhlJOpCdZvoJB1rf6FkXQpYyya6Gtu+3aY83vXXyI9xS/hwPJOGiT3sgM
X-Received: by 2002:a62:38d8:: with SMTP id f207mr22355436pfa.131.1558387321334;
        Mon, 20 May 2019 14:22:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558387321; cv=none;
        d=google.com; s=arc-20160816;
        b=rPY8jhnQRKXE6b/khMX+BQ8r7Ra7mvOSSZDMbOnlJQ9c0sAowVt170/sEU8+aVknkx
         4wm0Cp7OjZs5FSD4t+QkeXgoFZxMyxNtzqISfk2GQMQqqenA4plwj9mF9rNWL1s8+Ekl
         +0YXfr+c1H6CSvKwDKDnvhAlcCN1JhF86OXVIBNXKl3uf9EU+avag5jU/wxidPB+Re9l
         e6xcfDhaXRYMGmRf+FXpFLqnIiP1c3zTB0S4Qdll9CU4tsv3jgv0MvP54QuRXb/Q5j0y
         8owjhPBqD+oRTdaKi5PHE4t02EEGcOihWkNQ1WWJq7W0+kF4vBEZFBcZgVAousVSJDf0
         MLjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject;
        bh=fBpMtyQnSnlIJkoxHvCTQRIHKyHOhG0WD1BbyyAd8mQ=;
        b=yJMMjYTa34vz5C2atGD8gFj/EHxjct2AyklmCxb2Y4D2UiPHDxB4trX2+SEmdnInu/
         3KTJGuxt9fbs/IA61XMTnz4laH/+GZjEy60WdpQjVzNQMEovue45GKIiBI/DvyMq22js
         MjbMY6fRv5GkJfplrqoTmcpzuFpxlW98hR+Q3zT1VI+q/LeBXOVxJuLxt8atQgOjbgWZ
         RPTywELWxK5830GeyGKRK0ZICK8CEht07qpp1AQCm/2RcFEn58T0P1If2uGT/cusGg+8
         nM59uYfAQkVtbOzqZbeokrmvTxVe1y7YV8qp7LLq2bcyzfz9lytZvY+lzXHe1ykCt9aL
         4Ljw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 60si19336488pla.90.2019.05.20.14.21.46;
        Mon, 20 May 2019 14:22:01 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727096AbfETVUO (ORCPT <rfc822;utfcpqpk@gmail.com> + 99 others);
        Mon, 20 May 2019 17:20:14 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:41258 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726642AbfETVUN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 May 2019 17:20:13 -0400
Received: from pps.filterd (m0098417.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x4KL2KkA082485
        for <linux-kernel@vger.kernel.org>; Mon, 20 May 2019 17:20:12 -0400
Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2sm1qbd0py-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Mon, 20 May 2019 17:20:12 -0400
Received: from localhost
        by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.ibm.com>;
        Mon, 20 May 2019 22:20:10 +0100
Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197)
        by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Mon, 20 May 2019 22:20:08 +0100
Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58])
        by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x4KLK7Lc58130628
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Mon, 20 May 2019 21:20:07 GMT
Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 4B5B64C050;
        Mon, 20 May 2019 21:20:07 +0000 (GMT)
Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 1F5F34C04A;
        Mon, 20 May 2019 21:20:06 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.80.80.109])
        by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Mon, 20 May 2019 21:20:05 +0000 (GMT)
Subject: Re: [PATCH 2/4] evm: reset status in evm_inode_post_setattr()
From:   Mimi Zohar <zohar@linux.ibm.com>
To:     Roberto Sassu <roberto.sassu@huawei.com>,
        dmitry.kasatkin@huawei.com, mjg59@google.com
Cc:     linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, silviu.vlasceanu@huawei.com,
        stable@vger.kernel.org
Date:   Mon, 20 May 2019 17:19:55 -0400
In-Reply-To: <20190516161257.6640-2-roberto.sassu@huawei.com>
References: <20190516161257.6640-1-roberto.sassu@huawei.com>
         <20190516161257.6640-2-roberto.sassu@huawei.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 19052021-0008-0000-0000-000002E8B38E
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 19052021-0009-0000-0000-000022556717
Message-Id: <1558387195.4039.76.camel@linux.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-05-20_08:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1810050000 definitions=main-1905200132
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> This patch adds a call to evm_reset_status() in evm_inode_post_setattr(),
> before security.evm is updated. The same is done in the other
> evm_inode_post_* functions.
> 
> Fixes: 523b74b16bcbb ("evm: reset EVM status when file attributes change")
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Cc: stable@vger.kernel.org

Why all of a sudden do we also need to clear the EVM cached status
when modifying the file attributes?  The HMAC is being recalculated.  
If the reason is because of EVM portable and immutable signatures,
then the "Fixes" tag is incorrect.

Mimi

> ---
>  security/integrity/evm/evm_main.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index b6d9f14bc234..b41c2d8a8834 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -512,8 +512,11 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
>  	if (!evm_key_loaded())
>  		return;
>  
> -	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
> +	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) {
> +		evm_reset_status(dentry->d_inode);
> +
>  		evm_update_evmxattr(dentry, NULL, NULL, 0);
> +	}
>  }
>  
>  /*