| Message ID | 20240223172513.4049959-9-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | evm: Support signatures on stacked filesystem | expand |
On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote: > Unsupported filesystems currently do not enforce any signatures. Add > support for signature enforcement of the "original" and "portable & > immutable" signatures when EVM_INIT_X509 is enabled. > > The "original" signature type contains filesystem specific metadata. > Thus it cannot be copied up and verified. However with EVM_INIT_X509 > and EVM_ALLOW_METADATA_WRITES enabled, the "original" file signature > may be written. > > When EVM_ALLOW_METADATA_WRITES is not set or once it is removed from > /sys/kernel/security/evm by setting EVM_INIT_HMAC for example, it is not > possible to write or remove xattrs on the overlay filesystem. This paragraph is currently correct, but at some point EVM_ALLOW_METADATA_WRITES will be deprecated. Refer to commit 1434c6a1d32a ("evm: Deprecate EVM_ALLOW_METADATA_WRITES"). Mimi > > This change still prevents EVM from writing HMAC signatures on > unsupported filesystem when EVM_INIT_HMAC is enabled. > > Co-developed-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index c1ca0894cd8a..cfb4f9809369 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -192,7 +192,11 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) return iint->evm_status; - if (is_unsupported_fs(dentry)) + /* + * On unsupported filesystems without EVM_INIT_X509 enabled, skip + * signature verification. + */ + if (!(evm_initialized & EVM_INIT_X509) && is_unsupported_fs(dentry)) return INTEGRITY_UNKNOWN; /* if status is not PASS, try to check again - against -ENOMEM */ @@ -261,7 +265,8 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, evm_status = INTEGRITY_PASS_IMMUTABLE; } else if (!IS_RDONLY(inode) && !(inode->i_sb->s_readonly_remount) && - !IS_IMMUTABLE(inode)) { + !IS_IMMUTABLE(inode) && + !is_unsupported_fs(dentry)) { evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); @@ -419,9 +424,6 @@ enum integrity_status evm_verifyxattr(struct dentry *dentry, if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) return INTEGRITY_UNKNOWN; - if (is_unsupported_fs(dentry)) - return INTEGRITY_UNKNOWN; - return evm_verify_hmac(dentry, xattr_name, xattr_value, xattr_value_len); }
Unsupported filesystems currently do not enforce any signatures. Add support for signature enforcement of the "original" and "portable & immutable" signatures when EVM_INIT_X509 is enabled. The "original" signature type contains filesystem specific metadata. Thus it cannot be copied up and verified. However with EVM_INIT_X509 and EVM_ALLOW_METADATA_WRITES enabled, the "original" file signature may be written. When EVM_ALLOW_METADATA_WRITES is not set or once it is removed from /sys/kernel/security/evm by setting EVM_INIT_HMAC for example, it is not possible to write or remove xattrs on the overlay filesystem. This change still prevents EVM from writing HMAC signatures on unsupported filesystem when EVM_INIT_HMAC is enabled. Co-developed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- security/integrity/evm/evm_main.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-)