diff options
author | Dmitry Kasatkin <dmitry.kasatkin@huawei.com> | 2015-10-22 20:26:42 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-12-15 15:56:57 +0100 |
commit | 523b74b16bcbba34c662da5df7fa111ae4c1d0e6 (patch) | |
tree | 922656dc4cb434235b5a7cacf91b0e26b9ecee81 /security/integrity | |
parent | evm: provide a function to set the EVM key from the kernel (diff) | |
download | linux-523b74b16bcbba34c662da5df7fa111ae4c1d0e6.tar.xz linux-523b74b16bcbba34c662da5df7fa111ae4c1d0e6.zip |
evm: reset EVM status when file attributes change
The EVM verification status is cached in iint->evm_status and if it
was successful, never re-verified again when IMA passes the 'iint' to
evm_verifyxattr().
When file attributes or extended attributes change, we may wish to
re-verify EVM integrity as well. For example, after setting a digital
signature we may need to re-verify the signature and update the
iint->flags that there is an EVM signature.
This patch enables that by resetting evm_status to INTEGRITY_UKNOWN
state.
Changes in v2:
* Flag setting moved to EVM layer
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/evm/evm_main.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 420d94da2793..f7160253f17f 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -358,6 +358,15 @@ int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) return evm_protect_xattr(dentry, xattr_name, NULL, 0); } +static void evm_reset_status(struct inode *inode) +{ + struct integrity_iint_cache *iint; + + iint = integrity_iint_find(inode); + if (iint) + iint->evm_status = INTEGRITY_UNKNOWN; +} + /** * evm_inode_post_setxattr - update 'security.evm' to reflect the changes * @dentry: pointer to the affected dentry @@ -378,6 +387,8 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, && !posix_xattr_acl(xattr_name))) return; + evm_reset_status(dentry->d_inode); + evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); } @@ -396,6 +407,8 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) if (!evm_initialized || !evm_protected_xattr(xattr_name)) return; + evm_reset_status(dentry->d_inode); + evm_update_evmxattr(dentry, xattr_name, NULL, 0); } |