Re: [PATCH 2/4] evm: reset status in evm_inode_post_setattr()

From: Mimi Zohar
Date: Mon May 20 2019 - 17:22:41 EST


On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> This patch adds a call to evm_reset_status() in evm_inode_post_setattr(),
> before security.evm is updated. The same is done in the other
> evm_inode_post_* functions.
>
> Fixes: 523b74b16bcbb ("evm: reset EVM status when file attributes change")
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx

Why all of a sudden do we also need to clear the EVM cached status
when modifying the file attributes? ÂThe HMAC is being recalculated. Â
If the reason is because of EVM portable and immutable signatures,
then the "Fixes" tag is incorrect.

Mimi

> ---
> security/integrity/evm/evm_main.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index b6d9f14bc234..b41c2d8a8834 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -512,8 +512,11 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
> if (!evm_key_loaded())
> return;
>
> - if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
> + if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) {
> + evm_reset_status(dentry->d_inode);
> +
> evm_update_evmxattr(dentry, NULL, NULL, 0);
> + }
> }
>
> /*