mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
synced 2026-04-18 03:23:53 -04:00
evm: Allow xattr/attr operations for portable signatures
If files with portable signatures are copied from one location to another or are extracted from an archive, verification can temporarily fail until all xattrs/attrs are set in the destination. Only portable signatures may be moved or copied from one file to another, as they don't depend on system-specific information such as the inode generation. Instead portable signatures must include security.ima. Unlike other security.evm types, EVM portable signatures are also immutable. Thus, it wouldn't be a problem to allow xattr/attr operations when verification fails, as portable signatures will never be replaced with the HMAC on possibly corrupted xattrs/attrs. This patch first introduces a new integrity status called INTEGRITY_FAIL_IMMUTABLE, that allows callers of evm_verify_current_integrity() to detect that a portable signature didn't pass verification and then adds an exception in evm_protect_xattr() and evm_inode_setattr() for this status and returns 0 instead of -EPERM. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Roberto Sassu
committed by
Mimi Zohar
Mimi Zohar
parent
4a804b8a45
commit
cdef685be5
@@ -13,6 +13,7 @@ enum integrity_status {
|
||||
INTEGRITY_PASS = 0,
|
||||
INTEGRITY_PASS_IMMUTABLE,
|
||||
INTEGRITY_FAIL,
|
||||
INTEGRITY_FAIL_IMMUTABLE,
|
||||
INTEGRITY_NOLABEL,
|
||||
INTEGRITY_NOXATTRS,
|
||||
INTEGRITY_UNKNOWN,
|
||||
|
||||
Reference in New Issue
Block a user