Re: [PATCH] fs: Return raw xattr for security.* if there is size disagreement with LSMs

From: Mimi Zohar
Date: Fri Jun 18 2021 - 12:04:50 EST


On Thu, 2021-06-17 at 23:18 -0400, Paul Moore wrote:
> On Thu, Jun 17, 2021 at 11:28 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > On Thu, 2021-06-17 at 07:09 +0000, Roberto Sassu wrote:
>
> ...
>
> > > An alternative would be to do the EVM verification twice if the
> > > first time didn't succeed (with vfs_getxattr_alloc() and with the
> > > new function that behaves like vfs_getxattr()).
> >
> > Unfortunately, I don't see an alternative.
>
> ... and while unfortunate, the impact should be non-existant if you
> are using the right tools to label files or ensuring that you are
> formatting labels properly if doing it by hand.
>
> Handling a corner case is good, but I wouldn't add a lot of code
> complexity trying to optimize it.

>From userspace it's really difficult to understand the EVM signature
verification failure is due to the missing NULL.

Roberto, I just pushed the "evm: output EVM digest calculation info"
patch to the next-integrity-testing branch, which includes some
debugging. Instead of this patch, which returns the raw xattr data,
how about adding additional debugging info in evm_calc_hmac_or_hash()
indicating the size discrepancy between the raw xattr and the LSM
returned xattr?

thanks,

Mimi