projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7626676)
evm: reset EVM status when file attributes change
authorDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Thu, 22 Oct 2015 18:26:42 +0000 (21:26 +0300)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Tue, 15 Dec 2015 14:56:57 +0000 (09:56 -0500)
The EVM verification status is cached in iint->evm_status and if it
was successful, never re-verified again when IMA passes the 'iint' to
evm_verifyxattr().

When file attributes or extended attributes change, we may wish to
re-verify EVM integrity as well.  For example, after setting a digital
signature we may need to re-verify the signature and update the
iint->flags that there is an EVM signature.

This patch enables that by resetting evm_status to INTEGRITY_UKNOWN
state.

Changes in v2:
* Flag setting moved to EVM layer

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/evm/evm_main.c patch | blob | blame | history

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 420d94da2793e3d9748a2ac1f137de63a2963822..f7160253f17faad71c17a86b19833123a2edebd4 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -358,6 +358,15 @@ int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
        return evm_protect_xattr(dentry, xattr_name, NULL, 0);
 }
 
+static void evm_reset_status(struct inode *inode)
+{
+       struct integrity_iint_cache *iint;
+
+       iint = integrity_iint_find(inode);
+       if (iint)
+               iint->evm_status = INTEGRITY_UNKNOWN;
+}
+
 /**
  * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
  * @dentry: pointer to the affected dentry
@@ -378,6 +387,8 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
                                 && !posix_xattr_acl(xattr_name)))
                return;
 
+       evm_reset_status(dentry->d_inode);
+
        evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
 }
 
@@ -396,6 +407,8 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
        if (!evm_initialized || !evm_protected_xattr(xattr_name))
                return;
 
+       evm_reset_status(dentry->d_inode);
+
        evm_update_evmxattr(dentry, xattr_name, NULL, 0);
 }