Re: [RFC][PATCH 1/3] evm: Move hooks outside LSM infrastructure

[Mimi Zohar]

On Tue, 2020-05-12 at 07:54 +0000, Roberto Sassu wrote:
> > > > Roberto, EVM is only triggered by IMA, unless you've modified the
> > > > kernel to do otherwise.
> > >
> > > EVM would deny xattr/attr operations even if IMA is disabled in the
> > > kernel configuration. For example, evm_setxattr() returns the value
> > > from evm_protect_xattr(). IMA is not involved there.
> > 
> > CommitÂae1ba1676b88 ("EVM: Allow userland to permit modification of
> > EVM-protected metadata") introducedÂEVM_ALLOW_METADATA_WRITES
> > to allow writing the EVM portable and immutable file signatures.
> 
> According to Documentation/ABI/testing/evm:
> 
> Note that once a key has been loaded, it will no longer be
> possible to enable metadata modification.

Not any key, but the HMAC key.
Â
2ÂÂÂÂÂÂÂÂÂPermit modification of EVM-protected metadata at
     runtime. Not supported if HMAC validation and
     creation is enabled.

Each time the EVM protected file metadata is updated, the EVM HMAC is
updated, assuming the existing EVM HMAC is valid. ÂUserspace should
not have access to the HMAC key, so we only allow writing EVM
signatures.

The only difference between writing the original EVM signature and the
new portable and immutable signature is the security.ima xattr
requirement. ÂSince the new EVM signature does not include the
filesystem specific data, something else needs to bind the file
metadata to the file data. ÂThus the IMA xattr requirement.

Assuming that the new EVM signature is written last, as long as there
is an IMA xattr, there shouldn't be a problem writing the new EVM
signature.

Mimi