summaryrefslogtreecommitdiffstats
path: root/security/integrity/evm/evm_main.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/integrity/evm/evm_main.c')
-rw-r--r--security/integrity/evm/evm_main.c28
1 files changed, 19 insertions, 9 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 3bcb80df4d0..b392fe61473 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -126,14 +126,15 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
GFP_NOFS);
if (rc <= 0) {
- if (rc == 0)
- evm_status = INTEGRITY_FAIL; /* empty */
- else if (rc == -ENODATA) {
+ evm_status = INTEGRITY_FAIL;
+ if (rc == -ENODATA) {
rc = evm_find_protected_xattrs(dentry);
if (rc > 0)
evm_status = INTEGRITY_NOLABEL;
else if (rc == 0)
evm_status = INTEGRITY_NOXATTRS; /* new file */
+ } else if (rc == -EOPNOTSUPP) {
+ evm_status = INTEGRITY_UNKNOWN;
}
goto out;
}
@@ -161,9 +162,14 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
(const char *)xattr_data, xattr_len,
calc.digest, sizeof(calc.digest));
if (!rc) {
- /* we probably want to replace rsa with hmac here */
- evm_update_evmxattr(dentry, xattr_name, xattr_value,
- xattr_value_len);
+ /* Replace RSA with HMAC if not mounted readonly and
+ * not immutable
+ */
+ if (!IS_RDONLY(dentry->d_inode) &&
+ !IS_IMMUTABLE(dentry->d_inode))
+ evm_update_evmxattr(dentry, xattr_name,
+ xattr_value,
+ xattr_value_len);
}
break;
default:
@@ -284,6 +290,13 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
goto out;
}
evm_status = evm_verify_current_integrity(dentry);
+ if (evm_status == INTEGRITY_NOXATTRS) {
+ struct integrity_iint_cache *iint;
+
+ iint = integrity_iint_find(dentry->d_inode);
+ if (iint && (iint->flags & IMA_NEW_FILE))
+ return 0;
+ }
out:
if (evm_status != INTEGRITY_PASS)
integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
@@ -352,7 +365,6 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
return;
evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
- return;
}
/**
@@ -372,7 +384,6 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
mutex_lock(&inode->i_mutex);
evm_update_evmxattr(dentry, xattr_name, NULL, 0);
mutex_unlock(&inode->i_mutex);
- return;
}
/**
@@ -414,7 +425,6 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
evm_update_evmxattr(dentry, NULL, NULL, 0);
- return;
}
/*
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-05-11 15:27:41 +0000