Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp874535pxf; Wed, 7 Apr 2021 13:53:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxZXtW/6nE1NYZOKi40iyAbIasgJTav9pi31J5vJ47anSZchga9xcfXoKOE3ChIO4UEeeyZ X-Received: by 2002:a05:6e02:1aaf:: with SMTP id l15mr3935676ilv.293.1617828783417; Wed, 07 Apr 2021 13:53:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617828783; cv=none; d=google.com; s=arc-20160816; b=Po2QIttVTHwIsMT2klL7BvKYif/6rNfu2wm+8+sy2Y62XFvLfBdZqtNVXigqFVoHpM +Ty57xpDEsJKimew6AMH8u9mRCKES1EFrDsJrn2c9o9w/MHGhEuq5f7nKMHclXy0RoMC +/V86UpksHxOwlK4Q7WrqLr9aoQ15/XDvPzzDsIfHxbViqlCMdAs+rACSIAi+Ssh8Q5u wulQZ/JG/DgxWiCFQrzsf3b8jGI6mM2Ehk9qgZ1VeKB8O7vrNhq5aGE484K9pRioijQ1 UhzCr76SsLmLVh1YIJRyGUZ8eh8p/qHk3dgmmv4unXTow0dXYXXw+eO5y7oXRjBY0z7y 8xQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=QeD5Ytsu/Nc7oOQEmLL6RqOjYxkrHoZRuRDkyjwGgBU=; b=G31sfqt3FE4hN3lMW/Z31HWttK/lRC9/4oGmAzvV3xBWx+4GpvL7GukTrjRZPbWpJZ XsOAjnjydXadUVbI0PZIGh1o6MsahAszhhAa9nAWx3CkYwZYg1xmaXJkmkmuTf6iARe9 SBCD5AbB/jLhbYnZt4/S/vZKtYqhtAplqAc+jOKLMFeSQVLfhSpGu8VViuMOfC3SVT/+ j5zBJAtmLBQEkugOMe5tOdCiWXCIK79Zur6OHw7KqB2q4v6j68AwXTbClkEpHlGozd1i Izt/fJLxRGXnPsZcniHbcmthzYTKbUsqayjE4SKIjWj/YMO106Ccl7pvoyrGe+J1628j ybGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q11si21386694iod.66.2021.04.07.13.52.49; Wed, 07 Apr 2021 13:53:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351662AbhDGKyo (ORCPT + 99 others); Wed, 7 Apr 2021 06:54:44 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]:2790 "EHLO frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234547AbhDGKyc (ORCPT ); Wed, 7 Apr 2021 06:54:32 -0400 Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4FFh3G5j66z6830t; Wed, 7 Apr 2021 18:49:14 +0800 (CST) Received: from fraphisprd00473.huawei.com (7.182.8.141) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Wed, 7 Apr 2021 12:54:20 +0200 From: Roberto Sassu To: , CC: , , , , Roberto Sassu Subject: [PATCH v5 06/12] evm: Ignore INTEGRITY_NOLABEL/INTEGRITY_NOXATTRS if conditions are safe Date: Wed, 7 Apr 2021 12:52:46 +0200 Message-ID: <20210407105252.30721-7-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210407105252.30721-1-roberto.sassu@huawei.com> References: <20210407105252.30721-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [7.182.8.141] X-ClientProxiedBy: lhreml753-chm.china.huawei.com (10.201.108.203) To fraeml714-chm.china.huawei.com (10.206.15.33) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When a file is being created, LSMs can set the initial label with the inode_init_security hook. If no HMAC key is loaded, the new file will have LSM xattrs but not the HMAC. It is also possible that the file remains without protected xattrs after creation if no active LSM provided it. Unfortunately, EVM will deny any further metadata operation on new files, as evm_protect_xattr() will always return the INTEGRITY_NOLABEL error, or INTEGRITY_NOXATTRS if no protected xattrs exist. This would limit the usability of EVM when only a public key is loaded, as commands such as cp or tar with the option to preserve xattrs won't work. This patch ignores these errors when they won't be an issue, if no HMAC key is loaded and cannot be loaded in the future (which can be enforced by setting the EVM_SETUP_COMPLETE initialization flag). Signed-off-by: Roberto Sassu --- security/integrity/evm/evm_main.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 998818283fda..6556e8c22da9 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -90,6 +90,24 @@ static bool evm_key_loaded(void) return (bool)(evm_initialized & EVM_KEY_MASK); } +/* + * Ignoring INTEGRITY_NOLABEL/INTEGRITY_NOXATTRS is safe if no HMAC key + * is loaded and the EVM_SETUP_COMPLETE initialization flag is set. + */ +static bool evm_ignore_error_safe(enum integrity_status evm_status) +{ + if (evm_initialized & EVM_INIT_HMAC) + return false; + + if (!(evm_initialized & EVM_SETUP_COMPLETE)) + return false; + + if (evm_status != INTEGRITY_NOLABEL && evm_status != INTEGRITY_NOXATTRS) + return false; + + return true; +} + static int evm_find_protected_xattrs(struct dentry *dentry) { struct inode *inode = d_backing_inode(dentry); @@ -354,6 +372,8 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, -EPERM, 0); } out: + if (evm_ignore_error_safe(evm_status)) + return 0; if (evm_status != INTEGRITY_PASS) integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), dentry->d_name.name, "appraise_metadata", @@ -515,7 +535,8 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) return 0; evm_status = evm_verify_current_integrity(dentry); if ((evm_status == INTEGRITY_PASS) || - (evm_status == INTEGRITY_NOXATTRS)) + (evm_status == INTEGRITY_NOXATTRS) || + (evm_ignore_error_safe(evm_status))) return 0; integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), dentry->d_name.name, "appraise_metadata", -- 2.26.2