Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1459367ybt;
        Thu, 18 Jun 2020 09:08:52 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwosk3cncuN+bgihwZV+vKgfoEgMGPKlGEm+W4kLlw51lbqijAihKrqUMhMll7Qet+EbHl0
X-Received: by 2002:a05:6402:228a:: with SMTP id cw10mr4532295edb.147.1592496531826;
        Thu, 18 Jun 2020 09:08:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592496531; cv=none;
        d=google.com; s=arc-20160816;
        b=CaZXvE5CRMOH3Y/ybyghteyLOWChIeM8F7hGu40LnaL0zlytIsRMyRMFMauAbKLceI
         CZ4BAgHhVJMjQ2DmGW+Etz6J89HE+LvCmRtBCnM9MZCKNfwMTucReOWjkshoX98Wv+yB
         LiHqhccM+dW62pRqVwhX7/qrp8iDBr+BkUOWHU10pQ+6gUPkFF183t7219hLC1vfFm2+
         IJVsDkB4qg9Jlu6DqYaCHfxvY39LxGa4rMd4wh7UHz4SNJXer5qQ5fzzxFMFfCqHSi9C
         3dq09IJgRS7wiYtQLdlSnyIJbJiqGczUhP6aHvoSPJMKacR9S3mXk4Yk20JAxZSysy1R
         84Cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
         :to:from;
        bh=7pGmEJPFOz6LP/QMQhsqMV+BeZN2BuiPIdvaFpReJ8g=;
        b=DLQ32HW2eU/Mze/RAiazVjcCkXD5C4AVEU9KxYc2LjWvI6uRubBRVHSyGOxCY24ZEv
         Om35ie0TxYyaqve5FmYJDdnx6oBNwIJc5g+boBsqWqY2DKL6QWPCQUyoD9O3hWadW+MA
         EqDyu/+Lgi3f6P/F2nu9MWxMiGwnF/M2CQROpWnICrZRIZfBpGAM+45mbse2k4Ox1YA+
         TMCxIyEAsG7WuKXAD8BfJjcyqU4Bk1DcyxdQHjbiuG5OCasrzKBvblvlgQWq+f1cynck
         Au2fg9erZS7dbB5fkOg3ZemAVEtwpMG/mLBGFbrOfOkfF0YCtchE5uAEaeOf01239BRw
         xR+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id gt18si2094904ejb.467.2020.06.18.09.08.29;
        Thu, 18 Jun 2020 09:08:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731497AbgFRQEQ (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Thu, 18 Jun 2020 12:04:16 -0400
Received: from lhrrgout.huawei.com ([185.176.76.210]:2330 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1728134AbgFRQEP (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Jun 2020 12:04:15 -0400
Received: from lhreml743-chm.china.huawei.com (unknown [172.18.7.108])
        by Forcepoint Email with ESMTP id 50781EC1761F9D513D02;
        Thu, 18 Jun 2020 17:04:13 +0100 (IST)
Received: from fraeml714-chm.china.huawei.com (10.206.15.33) by
 lhreml743-chm.china.huawei.com (10.201.108.193) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1913.5; Thu, 18 Jun 2020 17:04:13 +0100
Received: from roberto-HP-EliteDesk-800-G2-DM-65W.huawei.com (10.204.65.160)
 by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
 15.1.1913.5; Thu, 18 Jun 2020 18:04:12 +0200
From:   Roberto Sassu <roberto.sassu@huawei.com>
To:     <zohar@linux.ibm.com>, <mjg59@google.com>
CC:     <linux-integrity@vger.kernel.org>,
        <linux-security-module@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>,
        Roberto Sassu <roberto.sassu@huawei.com>,
        <stable@vger.kernel.org>
Subject: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded
Date:   Thu, 18 Jun 2020 18:01:23 +0200
Message-ID: <20200618160133.937-1-roberto.sassu@huawei.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.204.65.160]
X-ClientProxiedBy: lhreml704-chm.china.huawei.com (10.201.108.53) To
 fraeml714-chm.china.huawei.com (10.206.15.33)
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

evm_inode_init_security() requires the HMAC key to calculate the HMAC on
initial xattrs provided by LSMs. Unfortunately, with the evm_key_loaded()
check, the function continues even if the HMAC key is not loaded
(evm_key_loaded() returns true also if EVM has been initialized only with a
public key). If the HMAC key is not loaded, evm_inode_init_security()
returns an error later when it calls evm_init_hmac().

Thus, this patch replaces the evm_key_loaded() check with a check of the
EVM_INIT_HMAC flag in evm_initialized, so that evm_inode_init_security()
returns 0 instead of an error.

Cc: stable@vger.kernel.org # 4.5.x
Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/evm/evm_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 0d36259b690d..744c105b48d1 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -521,7 +521,8 @@ int evm_inode_init_security(struct inode *inode,
 	struct evm_xattr *xattr_data;
 	int rc;
 
-	if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
+	if (!(evm_initialized & EVM_INIT_HMAC) ||
+	    !evm_protected_xattr(lsm_xattr->name))
 		return 0;
 
 	xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
-- 
2.17.1