Re: [PATCH v6 04/11] evm: Introduce evm_status_revalidate()

From: Mimi Zohar
Date: Tue May 11 2021 - 09:42:22 EST


On Wed, 2021-05-05 at 13:29 +0200, Roberto Sassu wrote:
> When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on
> metadata. Its main purpose is to allow users to freely set metadata when it
> is protected by a portable signature, until an HMAC key is loaded.
>
> However, callers of evm_verifyxattr() are not notified about metadata
> changes and continue to rely on the last status returned by the function.
> For example IMA, since it caches the appraisal result, will not call again
> evm_verifyxattr() until the appraisal flags are cleared, and will grant
> access to the file even if there was a metadata operation that made the
> portable signature invalid.
>
> This patch introduces evm_status_revalidate(), which callers of
> evm_verifyxattr() can use in their xattr hooks to determine whether
> re-validation is necessary and to do the proper actions. IMA calls it in
> its xattr hooks to reset the appraisal flags, so that the EVM status is
> re-evaluated after a metadata operation.
>
> Lastly, this patch also adds a call to evm_reset_status() in
> evm_inode_post_setattr() to invalidate the cached EVM status after a
> setattr operation.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>

I'm really sorry for the patch churn, but could you rename
evm_status_revalidate() to evm_revalidate_status().

Otherwise,

Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>

thanks,

Mimi