Re: [RFC][PATCH 1/3] evm: Move hooks outside LSM infrastructure
From: Mimi Zohar
Date: Wed May 06 2020 - 15:45:12 EST
[Cc: John Johansen]Â
On Wed, 2020-04-29 at 09:39 +0200, Roberto Sassu wrote:
> EVM is a module for the protection of the integrity of file metadata. It
> protects security-relevant extended attributes, and some file attributes
> such as the UID and the GID. It protects their integrity with an HMAC or
> with a signature.
>
> What makes EVM different from other LSMs is that it makes a security
> decision depending on multiple pieces of information, which cannot be
> managed atomically by the system.
>
> Example: cp -a file.orig file.dest
>
> If security.selinux, security.ima and security.evm must be preserved, cp
> will invoke setxattr() for each xattr, and EVM performs a verification
> during each operation. The problem is that copying security.evm from
> file.orig to file.dest will likely break the following EVM verifications if
> some metadata still have to be copied. EVM has no visibility on the
> metadata of the source file, so it cannot determine when the copy can be
> considered complete.
I remember having a similar discussion in the past. ÂAt the time,
there wasn't EVM portable and immutable signature support, just the
HMAC and original signature types. ÂNeither of these EVM xattrs types
should be copied.
Calling evm_verifyxattr() is not limited to IMA, but may be called by
other LSMs/subsystems as well. ÂAt some point, there was some
discussion about AppArmor calling it directly. ÂNot sure if that is
still being discussed.
Since copying the EVM HMAC or original signature isn't applicable, I
would prefer exploring an EVM portable and immutable signature only
solution.
Mimi