evm: Introduce evm_revalidate_status()

When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on
metadata. Its main purpose is to allow users to freely set metadata when it
is protected by a portable signature, until an HMAC key is loaded.

However, callers of evm_verifyxattr() are not notified about metadata
changes and continue to rely on the last status returned by the function.
For example IMA, since it caches the appraisal result, will not call again
evm_verifyxattr() until the appraisal flags are cleared, and will grant
access to the file even if there was a metadata operation that made the
portable signature invalid.

This patch introduces evm_revalidate_status(), which callers of
evm_verifyxattr() can use in their xattr hooks to determine whether
re-validation is necessary and to do the proper actions. IMA calls it in
its xattr hooks to reset the appraisal flags, so that the EVM status is
re-evaluated after a metadata operation.

Lastly, this patch also adds a call to evm_reset_status() in
evm_inode_post_setattr() to invalidate the cached EVM status after a
setattr operation.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/include/linux/evm.h b/include/linux/evm.h
index 8302bc29bb358abca818d7b16ba0e1170b8924d6..39bb17a8236b1ad6273260d77d59b882c3d00024 100644 (file)
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -35,6 +35,7 @@ extern void evm_inode_post_removexattr(struct dentry *dentry,
 extern int evm_inode_init_security(struct inode *inode,
                                   const struct xattr *xattr_array,
                                   struct xattr *evm);
+extern bool evm_revalidate_status(const char *xattr_name);
 #ifdef CONFIG_FS_POSIX_ACL
 extern int posix_xattr_acl(const char *xattrname);
 #else
@@ -104,5 +105,10 @@ static inline int evm_inode_init_security(struct inode *inode,
        return 0;
 }
 
+static inline bool evm_revalidate_status(const char *xattr_name)
+{
+       return false;
+}
+
 #endif /* CONFIG_EVM */
 #endif /* LINUX_EVM_H */

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 7ac5204c8d1f2cbfe0f0aefb07b59e611afe5122..782915117175fbb4493c1f68f8a9d850e2c5fedf 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -425,6 +425,31 @@ static void evm_reset_status(struct inode *inode)
                iint->evm_status = INTEGRITY_UNKNOWN;
 }
 
+/**
+ * evm_revalidate_status - report whether EVM status re-validation is necessary
+ * @xattr_name: pointer to the affected extended attribute name
+ *
+ * Report whether callers of evm_verifyxattr() should re-validate the
+ * EVM status.
+ *
+ * Return true if re-validation is necessary, false otherwise.
+ */
+bool evm_revalidate_status(const char *xattr_name)
+{
+       if (!evm_key_loaded())
+               return false;
+
+       /* evm_inode_post_setattr() passes NULL */
+       if (!xattr_name)
+               return true;
+
+       if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
+           strcmp(xattr_name, XATTR_NAME_EVM))
+               return false;
+
+       return true;
+}
+
 /**
  * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
  * @dentry: pointer to the affected dentry
@@ -441,12 +466,14 @@ static void evm_reset_status(struct inode *inode)
 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
                             const void *xattr_value, size_t xattr_value_len)
 {
-       if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
-                                 && !posix_xattr_acl(xattr_name)))
+       if (!evm_revalidate_status(xattr_name))
                return;
 
        evm_reset_status(dentry->d_inode);
 
+       if (!strcmp(xattr_name, XATTR_NAME_EVM))
+               return;
+
        evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
 }
 
@@ -462,11 +489,14 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
  */
 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 {
-       if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
+       if (!evm_revalidate_status(xattr_name))
                return;
 
        evm_reset_status(dentry->d_inode);
 
+       if (!strcmp(xattr_name, XATTR_NAME_EVM))
+               return;
+
        evm_update_evmxattr(dentry, xattr_name, NULL, 0);
 }
 
@@ -513,9 +543,11 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
  */
 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
 {
-       if (!evm_key_loaded())
+       if (!evm_revalidate_status(NULL))
                return;
 
+       evm_reset_status(dentry->d_inode);
+
        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
                evm_update_evmxattr(dentry, NULL, NULL, 0);
 }

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 4e5eb0236278aa5f6dab20fa4275bb36cd3b7d94..03894769dffa528fe8ba55007df58e3ddc1c2aa6 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -570,6 +570,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
                       const void *xattr_value, size_t xattr_value_len)
 {
        const struct evm_ima_xattr_data *xvalue = xattr_value;
+       int digsig = 0;
        int result;
 
        result = ima_protect_xattr(dentry, xattr_name, xattr_value,
@@ -577,9 +578,12 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
        if (result == 1) {
                if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
                        return -EINVAL;
-               ima_reset_appraise_flags(d_backing_inode(dentry),
-                       xvalue->type == EVM_IMA_XATTR_DIGSIG);
-               result = 0;
+               digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
+       }
+       if (result == 1 || evm_revalidate_status(xattr_name)) {
+               ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
+               if (result == 1)
+                       result = 0;
        }
        return result;
 }
@@ -589,9 +593,10 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
        int result;
 
        result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
-       if (result == 1) {
+       if (result == 1 || evm_revalidate_status(xattr_name)) {
                ima_reset_appraise_flags(d_backing_inode(dentry), 0);
-               result = 0;
+               if (result == 1)
+                       result = 0;
        }
        return result;
 }