From patchwork Fri Nov 3 07:26:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Kurinnoi X-Patchwork-Id: 10039599 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 78324602DA for ; Fri, 3 Nov 2017 07:26:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6A2A9294CA for ; Fri, 3 Nov 2017 07:26:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5F1A929521; Fri, 3 Nov 2017 07:26:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CC50E294CA for ; Fri, 3 Nov 2017 07:26:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754742AbdKCH05 (ORCPT ); Fri, 3 Nov 2017 03:26:57 -0400 Received: from mail-lf0-f66.google.com ([209.85.215.66]:54386 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755420AbdKCH0z (ORCPT ); Fri, 3 Nov 2017 03:26:55 -0400 Received: by mail-lf0-f66.google.com with SMTP id a2so2055311lfh.11 for ; Fri, 03 Nov 2017 00:26:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:subject:message-id:mime-version :content-transfer-encoding; bh=mXu5aeNBvsXKxAJDiGyvH9oS9DMNMVSEoqZ0C6nCZvg=; b=OVcm2U1fLcLC/kbEPY0Dcgxs2rWM0CwxQJkmhKgaBXF5ojSqySyGoMPF7skVZ5qYhS CEblyitTJZTrBOvHuHSf9xwx/VK8law37P9UrAFd9ZuL/E1t/OxKUlIcKqyuYW/P3lJl QJP7dTVTQVmiKJoQpXU3DvpGYoEeMXXsJmfOGrnum/wZR8QC8pIfZOySPChaO8CxjGjF np3GsfrHrBBLXysvHXNY56JUL46TFr8stYFG01HinvfHlvoGLL/+RNQIDOkSIlcDFqoc HYh9dUb+ZdGJ1KOpMmVTRKL7h820K8QviUtv+iDrjlaBFr2KvwOJPycKk0osmp3W2eBl op1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:subject:message-id :mime-version:content-transfer-encoding; bh=mXu5aeNBvsXKxAJDiGyvH9oS9DMNMVSEoqZ0C6nCZvg=; b=pM9295LhaSrPEPSMqbRsstA+L3aGNZIvSQWwo89q15xahr/oUdjNwp9tExCi3gxCTe ChbLDlElHKB8vY8OZZZFvS6mhxfBLh1XXxvBF+FEQf0QEwsIsAcBw8pOEhkFRciCCeOp kZhVadpFYE2OWlIVewi4JUXzOe5tLITiHBsGWj6s6J0nnsOQXY8msaHnFWSsllMOkuLa BsJyZVYrdADEPl/fAgxRRKiJtFQCc8NKHlDqaddZ3/mTJHqKa75j0rfCHcQLuWYpHNMk oooQn6KAuAMvnupKigVhT0xmeztQrgt1KP9j5P+OCuMlh0XtjGInmP1wT/plJupp04VE jNGA== X-Gm-Message-State: AMCzsaWskSv2JfRF0G4XhgO/xOW5VfyCSCcilPeTWLP+zc5QapyciQ7g njiFMLnQjhJzIglhtvTMd15sJEZn X-Google-Smtp-Source: ABhQp+SqE2h8vqU/6QV2RQw2ZXtLLWAspvEert8jPB8HhJwEnzK9uIRoKFklELjlbY5w0FSzRCmu8A== X-Received: by 10.46.29.199 with SMTP id w68mr2478748lje.66.1509694014033; Fri, 03 Nov 2017 00:26:54 -0700 (PDT) Received: from totoro ([83.217.199.75]) by smtp.gmail.com with ESMTPSA id r23sm1082767lja.32.2017.11.03.00.26.53 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 03 Nov 2017 00:26:53 -0700 (PDT) Date: Fri, 3 Nov 2017 10:26:52 +0300 From: Mikhail Kurinnoi To: linux-integrity@vger.kernel.org Subject: [PATCH] evm: allow metadata changes for inode without xattr support Message-ID: <20171103102652.0618859d@totoro> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch provide changes in order to allow metadata changes for inode without xattr support. Signed-off-by: Mikhail Kurinnoi security/integrity/evm/evm_main.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 9826c02e2db8..51151c43433d 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -294,8 +294,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, if (!posix_xattr_acl(xattr_name)) return 0; evm_status = evm_verify_current_integrity(dentry); - if ((evm_status == INTEGRITY_PASS) || - (evm_status == INTEGRITY_NOXATTRS)) + if (evm_status == INTEGRITY_NOXATTRS) return 0; goto out; } @@ -319,12 +318,15 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, -EPERM, 0); } out: - if (evm_status != INTEGRITY_PASS) - integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), - dentry->d_name.name, "appraise_metadata", - integrity_status_msg[evm_status], - -EPERM, 0); - return evm_status == INTEGRITY_PASS ? 0 : -EPERM; + if ((evm_status == INTEGRITY_PASS) || + (evm_status == INTEGRITY_UNKNOWN)) + return 0; + + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), + dentry->d_name.name, "appraise_metadata", + integrity_status_msg[evm_status], + -EPERM, 0); + return -EPERM; } /** @@ -435,7 +437,8 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) return 0; evm_status = evm_verify_current_integrity(dentry); if ((evm_status == INTEGRITY_PASS) || - (evm_status == INTEGRITY_NOXATTRS)) + (evm_status == INTEGRITY_NOXATTRS) || + (evm_status == INTEGRITY_UNKNOWN)) return 0; integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), dentry->d_name.name, "appraise_metadata",