tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

evm: Support multiple LSMs providing an xattr

Currently, evm_inode_init_security() processes a single LSM xattr from the
array passed by security_inode_init_security(), and calculates the HMAC on
it and other inode metadata.

As the LSM infrastructure now can pass to EVM an array with multiple
xattrs, scan them until the terminator (xattr name NULL), and calculate the
HMAC on all of them.

Also, double check that the xattrs array terminator is the first non-filled
slot (obtained with lsm_get_xattr_slot()). Consumers of the xattrs array,
such as the initxattrs() callbacks, rely on the terminator.

Finally, change the name of the lsm_xattr parameter of evm_init_hmac() to
xattrs, to reflect the new type of information passed.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Roberto Sassu and committed by
Paul Moore c31288e5 6db7d1de

+37 -7
+3 -1
security/integrity/evm/evm.h
··· 46 46 char digest[IMA_MAX_DIGEST_SIZE]; 47 47 } __packed; 48 48 49 + int evm_protected_xattr(const char *req_xattr_name); 50 + 49 51 int evm_init_key(void); 50 52 int evm_update_evmxattr(struct dentry *dentry, 51 53 const char *req_xattr_name, ··· 60 58 const char *req_xattr_value, 61 59 size_t req_xattr_value_len, char type, 62 60 struct evm_digest *data); 63 - int evm_init_hmac(struct inode *inode, const struct xattr *xattr, 61 + int evm_init_hmac(struct inode *inode, const struct xattr *xattrs, 64 62 char *hmac_val); 65 63 int evm_init_secfs(void); 66 64
+9 -2
security/integrity/evm/evm_crypto.c
··· 385 385 return rc; 386 386 } 387 387 388 - int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr, 388 + int evm_init_hmac(struct inode *inode, const struct xattr *xattrs, 389 389 char *hmac_val) 390 390 { 391 391 struct shash_desc *desc; 392 + const struct xattr *xattr; 392 393 393 394 desc = init_desc(EVM_XATTR_HMAC, HASH_ALGO_SHA1); 394 395 if (IS_ERR(desc)) { ··· 397 396 return PTR_ERR(desc); 398 397 } 399 398 400 - crypto_shash_update(desc, lsm_xattr->value, lsm_xattr->value_len); 399 + for (xattr = xattrs; xattr->name; xattr++) { 400 + if (!evm_protected_xattr(xattr->name)) 401 + continue; 402 + 403 + crypto_shash_update(desc, xattr->value, xattr->value_len); 404 + } 405 + 401 406 hmac_add_misc(desc, inode, EVM_XATTR_HMAC, hmac_val); 402 407 kfree(desc); 403 408 return 0;
+25 -4
security/integrity/evm/evm_main.c
··· 306 306 return found; 307 307 } 308 308 309 - static int evm_protected_xattr(const char *req_xattr_name) 309 + int evm_protected_xattr(const char *req_xattr_name) 310 310 { 311 311 return evm_protected_xattr_common(req_xattr_name, false); 312 312 } ··· 872 872 int *xattr_count) 873 873 { 874 874 struct evm_xattr *xattr_data; 875 - struct xattr *evm_xattr; 875 + struct xattr *xattr, *evm_xattr; 876 + bool evm_protected_xattrs = false; 876 877 int rc; 877 878 878 - if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs || 879 - !evm_protected_xattr(xattrs->name)) 879 + if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs) 880 + return 0; 881 + 882 + /* 883 + * security_inode_init_security() makes sure that the xattrs array is 884 + * contiguous, there is enough space for security.evm, and that there is 885 + * a terminator at the end of the array. 886 + */ 887 + for (xattr = xattrs; xattr->name; xattr++) { 888 + if (evm_protected_xattr(xattr->name)) 889 + evm_protected_xattrs = true; 890 + } 891 + 892 + /* EVM xattr not needed. */ 893 + if (!evm_protected_xattrs) 880 894 return 0; 881 895 882 896 evm_xattr = lsm_get_xattr_slot(xattrs, xattr_count); 897 + /* 898 + * Array terminator (xattr name = NULL) must be the first non-filled 899 + * xattr slot. 900 + */ 901 + WARN_ONCE(evm_xattr != xattr, 902 + "%s: xattrs terminator is not the first non-filled slot\n", 903 + __func__); 883 904 884 905 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 885 906 if (!xattr_data)