| Message ID | 20190516161257.6640-2-roberto.sassu@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/4] evm: check hash algorithm passed to init_desc() | expand |
On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote: > This patch adds a call to evm_reset_status() in evm_inode_post_setattr(), > before security.evm is updated. The same is done in the other > evm_inode_post_* functions. > > Fixes: 523b74b16bcbb ("evm: reset EVM status when file attributes change") > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > Cc: stable@vger.kernel.org Why all of a sudden do we also need to clear the EVM cached status when modifying the file attributes? The HMAC is being recalculated. If the reason is because of EVM portable and immutable signatures, then the "Fixes" tag is incorrect. Mimi > --- > security/integrity/evm/evm_main.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c > index b6d9f14bc234..b41c2d8a8834 100644 > --- a/security/integrity/evm/evm_main.c > +++ b/security/integrity/evm/evm_main.c > @@ -512,8 +512,11 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) > if (!evm_key_loaded()) > return; > > - if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) > + if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) { > + evm_reset_status(dentry->d_inode); > + > evm_update_evmxattr(dentry, NULL, NULL, 0); > + } > } > > /*
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index b6d9f14bc234..b41c2d8a8834 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -512,8 +512,11 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) if (!evm_key_loaded()) return; - if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) + if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) { + evm_reset_status(dentry->d_inode); + evm_update_evmxattr(dentry, NULL, NULL, 0); + } } /*
This patch adds a call to evm_reset_status() in evm_inode_post_setattr(), before security.evm is updated. The same is done in the other evm_inode_post_* functions. Fixes: 523b74b16bcbb ("evm: reset EVM status when file attributes change") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Cc: stable@vger.kernel.org --- security/integrity/evm/evm_main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)