[v6,04/11] evm: Introduce evm_status_revalidate()

Message ID	20210505112935.1410679-5-roberto.sassu@huawei.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Roberto Sassu <roberto.sassu@huawei.com> To: <zohar@linux.ibm.com>, <mjg59@google.com> CC: <linux-integrity@vger.kernel.org>, <linux-security-module@vger.kernel.org>, <linux-kernel@vger.kernel.org>, Roberto Sassu <roberto.sassu@huawei.com> Subject: [PATCH v6 04/11] evm: Introduce evm_status_revalidate() Date: Wed, 5 May 2021 13:29:28 +0200 Message-ID: <20210505112935.1410679-5-roberto.sassu@huawei.com> In-Reply-To: <20210505112935.1410679-1-roberto.sassu@huawei.com> References: <20210505112935.1410679-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII Precedence: bulk
Series	evm: Improve usability of portable signatures \| expand [v6,00/11] evm: Improve usability of portable signatures [v6,01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded [v6,02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal [v6,03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded [v6,04/11] evm: Introduce evm_status_revalidate() [v6,05/11] evm: Introduce evm_hmac_disabled() to safely ignore verification errors [v6,06/11] evm: Allow xattr/attr operations for portable signatures [v6,07/11] evm: Pass user namespace to set/remove xattr hooks [v6,08/11] evm: Allow setxattr() and setattr() for unmodified metadata [v6,09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures [v6,10/11] ima: Introduce template field evmsig and write to field sig as fallback [v6,11/11] ima: Don't remove security.ima if file must not be appraised

Message ID

20210505112935.1410679-5-roberto.sassu@huawei.com (mailing list archive)

State

New, archived

Headers

From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>, <mjg59@google.com>
CC: <linux-integrity@vger.kernel.org>,
        <linux-security-module@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>,
        Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v6 04/11] evm: Introduce evm_status_revalidate()
Date: Wed, 5 May 2021 13:29:28 +0200
Message-ID: <20210505112935.1410679-5-roberto.sassu@huawei.com>
In-Reply-To: <20210505112935.1410679-1-roberto.sassu@huawei.com>
References: <20210505112935.1410679-1-roberto.sassu@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk

Series

evm: Improve usability of portable signatures | expand

Commit Message

Roberto Sassu May 5, 2021, 11:29 a.m. UTC

When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on
metadata. Its main purpose is to allow users to freely set metadata when it
is protected by a portable signature, until an HMAC key is loaded.

However, callers of evm_verifyxattr() are not notified about metadata
changes and continue to rely on the last status returned by the function.
For example IMA, since it caches the appraisal result, will not call again
evm_verifyxattr() until the appraisal flags are cleared, and will grant
access to the file even if there was a metadata operation that made the
portable signature invalid.

This patch introduces evm_status_revalidate(), which callers of
evm_verifyxattr() can use in their xattr hooks to determine whether
re-validation is necessary and to do the proper actions. IMA calls it in
its xattr hooks to reset the appraisal flags, so that the EVM status is
re-evaluated after a metadata operation.

Lastly, this patch also adds a call to evm_reset_status() in
evm_inode_post_setattr() to invalidate the cached EVM status after a
setattr operation.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 include/linux/evm.h                   |  6 +++++
 security/integrity/evm/evm_main.c     | 33 +++++++++++++++++++++++----
 security/integrity/ima/ima_appraise.c | 15 ++++++++----
 3 files changed, 45 insertions(+), 9 deletions(-)

Comments

Mimi Zohar May 11, 2021, 1:42 p.m. UTC | #1

On Wed, 2021-05-05 at 13:29 +0200, Roberto Sassu wrote:
> When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on
> metadata. Its main purpose is to allow users to freely set metadata when it
> is protected by a portable signature, until an HMAC key is loaded.
> 
> However, callers of evm_verifyxattr() are not notified about metadata
> changes and continue to rely on the last status returned by the function.
> For example IMA, since it caches the appraisal result, will not call again
> evm_verifyxattr() until the appraisal flags are cleared, and will grant
> access to the file even if there was a metadata operation that made the
> portable signature invalid.
> 
> This patch introduces evm_status_revalidate(), which callers of
> evm_verifyxattr() can use in their xattr hooks to determine whether
> re-validation is necessary and to do the proper actions. IMA calls it in
> its xattr hooks to reset the appraisal flags, so that the EVM status is
> re-evaluated after a metadata operation.
> 
> Lastly, this patch also adds a call to evm_reset_status() in
> evm_inode_post_setattr() to invalidate the cached EVM status after a
> setattr operation.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

I'm really  sorry for the patch churn, but could you rename
evm_status_revalidate() to evm_revalidate_status().

Otherwise,

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

thanks,

Mimi

diff --git a/include/linux/evm.h b/include/linux/evm.h
index 8302bc29bb35..e5b7bcb152b9 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -35,6 +35,7 @@  extern void evm_inode_post_removexattr(struct dentry *dentry,
 extern int evm_inode_init_security(struct inode *inode,
 				   const struct xattr *xattr_array,
 				   struct xattr *evm);
+extern bool evm_status_revalidate(const char *xattr_name);
 #ifdef CONFIG_FS_POSIX_ACL
 extern int posix_xattr_acl(const char *xattrname);
 #else
@@ -104,5 +105,10 @@  static inline int evm_inode_init_security(struct inode *inode,
 	return 0;
 }
 
+static inline bool evm_status_revalidate(const char *xattr_name)
+{
+	return false;
+}
+
 #endif /* CONFIG_EVM */
 #endif /* LINUX_EVM_H */
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 7ac5204c8d1f..998818283fda 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -425,6 +425,30 @@  static void evm_reset_status(struct inode *inode)
 		iint->evm_status = INTEGRITY_UNKNOWN;
 }
 
+/**
+ * evm_status_revalidate - report whether EVM status re-validation is necessary
+ * @xattr_name: pointer to the affected extended attribute name
+ *
+ * Report whether callers of evm_verifyxattr() should re-validate the
+ * EVM status.
+ *
+ * Return true if re-validation is necessary, false otherwise.
+ */
+bool evm_status_revalidate(const char *xattr_name)
+{
+	if (!evm_key_loaded())
+		return false;
+
+	/* evm_inode_post_setattr() passes NULL */
+	if (!xattr_name)
+		return true;
+
+	if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name))
+		return false;
+
+	return true;
+}
+
 /**
  * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
  * @dentry: pointer to the affected dentry
@@ -441,8 +465,7 @@  static void evm_reset_status(struct inode *inode)
 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 			     const void *xattr_value, size_t xattr_value_len)
 {
-	if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
-				  && !posix_xattr_acl(xattr_name)))
+	if (!evm_status_revalidate(xattr_name))
 		return;
 
 	evm_reset_status(dentry->d_inode);
@@ -462,7 +485,7 @@  void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
  */
 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 {
-	if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
+	if (!evm_status_revalidate(xattr_name))
 		return;
 
 	evm_reset_status(dentry->d_inode);
@@ -513,9 +536,11 @@  int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
  */
 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
 {
-	if (!evm_key_loaded())
+	if (!evm_status_revalidate(NULL))
 		return;
 
+	evm_reset_status(dentry->d_inode);
+
 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
 		evm_update_evmxattr(dentry, NULL, NULL, 0);
 }
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 4e5eb0236278..ddac9e727d3a 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -570,6 +570,7 @@  int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 		       const void *xattr_value, size_t xattr_value_len)
 {
 	const struct evm_ima_xattr_data *xvalue = xattr_value;
+	int digsig = 0;
 	int result;
 
 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
@@ -577,9 +578,12 @@  int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 	if (result == 1) {
 		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
 			return -EINVAL;
-		ima_reset_appraise_flags(d_backing_inode(dentry),
-			xvalue->type == EVM_IMA_XATTR_DIGSIG);
-		result = 0;
+		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
+	}
+	if (result == 1 || evm_status_revalidate(xattr_name)) {
+		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
+		if (result == 1)
+			result = 0;
 	}
 	return result;
 }
@@ -589,9 +593,10 @@  int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
 	int result;
 
 	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
-	if (result == 1) {
+	if (result == 1 || evm_status_revalidate(xattr_name)) {
 		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
-		result = 0;
+		if (result == 1)
+			result = 0;
 	}
 	return result;
 }

[v6,04/11] evm: Introduce evm_status_revalidate()

Commit Message

Comments

Patch