| Message ID | 20230329130415.2312521-4-roberto.sassu@huaweicloud.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp420798vqo;
Wed, 29 Mar 2023 06:38:41 -0700 (PDT)
X-Google-Smtp-Source:
AKy350Yma2Xv7H4Okglbjs/yTRiPilTG9ptXwp3M0+StCCMxtsSw/rKMaVvHzbv4PEkpLgkdb+dt
X-Received: by 2002:aa7:c915:0:b0:4fd:2674:4ff2 with SMTP id
b21-20020aa7c915000000b004fd26744ff2mr20582184edt.11.1680097121556;
Wed, 29 Mar 2023 06:38:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1680097121; cv=none;
d=google.com; s=arc-20160816;
b=YFvHF/0afySPQ1rJYe1qp98ZQTShfriG6VuLGQGNyo9tGwEHMLgPFaZZcrGLUhnPFC
daLtiF7uR6dGo91fWskIAvBXMBuSwJujOQyIYD91Gusz7htEkXFwfhW1++HLm1V9NzVn
Pug5MMcz1GPSNXst39q07c/MMcUFjWpX26P351DKVsC+u50hgvvRRbD7yQS8Kxr6w3H/
lM2yY9njHpcnGKxZwlUA+Y5Q9LPFAo2EJdd7E0ggBt7nFNf44Qe+BvbqulZwrunpwcdf
BgZNlWkZ9I5zcQTSRK45YjV+sSaey4YjzO0brhgfDj2wjzzbiozXQGVEIvd2pRBcX9qf
2Wrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from;
bh=v5sJi6lHicRSkBanWXsmRO9k4XzUZhVAkBsHTb3hq2s=;
b=anyM0cTLY5i2cYQd6LM1KIIFvRDje6OYLwkDMs2Vv4pnSh2/Kb/3rGE5nRi1koz1qK
XdrkpPRCXYVwQKZRVboUA3o94a+ddgbbgzPvnDnklaYkpA3L30Tntefifwns9AQ3gisY
XbYv5Jb0KEEsqWNhqkdnKNfVa4rmG7RhFyaLjfeXGJtKx4ncy6qVfFM0yTbM5SlKZrvf
1E2bRLJsRI8NKloq0yZ1JjL+A9zRAl2rNAIh9pa/84HOrj1MnOK+ZBO+qNMpEj/6Cfv5
HLtMxVFRpdPdWhpJTdOBQJ1/DxZMxN9qzHgJ5pSNqv9wCpSW0UTmB9m58wMJFRla+wgZ
qufQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
r17-20020aa7cb91000000b00501e283279fsi20841889edt.205.2023.03.29.06.38.18;
Wed, 29 Mar 2023 06:38:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229564AbjC2NFz (ORCPT <rfc822;rua109.linux@gmail.com>
+ 99 others); Wed, 29 Mar 2023 09:05:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50672 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230118AbjC2NFi (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 29 Mar 2023 09:05:38 -0400
Received: from frasgout12.his.huawei.com (frasgout12.his.huawei.com
[14.137.139.154])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5F8E4EF5;
Wed, 29 Mar 2023 06:05:32 -0700 (PDT)
Received: from mail02.huawei.com (unknown [172.18.147.227])
by frasgout12.his.huawei.com (SkyGuard) with ESMTP id
4PmmkL3Qj3z9xGX2;
Wed, 29 Mar 2023 20:55:38 +0800 (CST)
Received: from huaweicloud.com (unknown [10.204.63.22])
by APP1 (Coremail) with SMTP id LxC2BwCXFABgNyRk2AzcAQ--.1625S5;
Wed, 29 Mar 2023 14:05:09 +0100 (CET)
From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
stephen.smalley.work@gmail.com, eparis@parisplace.org,
casey@schaufler-ca.com
Cc: reiserfs-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
bpf@vger.kernel.org, kpsingh@kernel.org, keescook@chromium.org,
nicolas.bouchinet@clip-os.org,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v9 3/4] evm: Align evm_inode_init_security() definition with
LSM infrastructure
Date: Wed, 29 Mar 2023 15:04:14 +0200
Message-Id: <20230329130415.2312521-4-roberto.sassu@huaweicloud.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20230329130415.2312521-1-roberto.sassu@huaweicloud.com>
References: <20230329130415.2312521-1-roberto.sassu@huaweicloud.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: LxC2BwCXFABgNyRk2AzcAQ--.1625S5
X-Coremail-Antispam: 1UD129KBjvJXoWxXF43tw4xZrW8tFyUWw1UGFg_yoWrKw48pa
nxt3WUCr1rJFyUWryFyF47u3WSgFWrGr4UtrZ3G34jyFnrtr1xtFWSyr15uFyrWrW8GrnY
qw42vr1rWwn8t3DanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDU0xBIdaVrnRJUUUPqb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2
6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUWw
A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS
w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUCVW8JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV
W8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E14v2
6r4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2
WlYx0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkE
bVWUJVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262kKe7
AKxVW8ZVWrXwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02
F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GFv_Wr
ylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42IY6xIIjxv20xvEc7Cj
xVAFwI0_Gr1j6F4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI
0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZFpf9x
07jzE__UUUUU=
X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgALBF1jj4dSLAAAsF
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_HELO_NONE,SPF_NONE
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1761709519150138812?=
X-GMAIL-MSGID: =?utf-8?q?1761709519150138812?=
|
| Series |
evm: Do HMAC of multiple per LSM xattrs for new inodes
|
|
Commit Message
Roberto Sassu
March 29, 2023, 1:04 p.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com> Change the evm_inode_init_security() definition to align with the LSM infrastructure. Keep the existing behavior of including in the HMAC calculation only the first xattr provided by LSMs. Changing the evm_inode_init_security() definition requires passing the xattr array allocated by security_inode_init_security(), and the number of xattrs filled by previously invoked LSMs. Use the newly introduced lsm_find_xattr_slot() to position EVM correctly in the xattrs array, like a regular LSM, and to increment the number of filled slots. For now, the LSM infrastructure allocates enough xattrs slots to store the EVM xattr, without using the reservation mechanism. Finally, make evm_inode_init_security() return value compatible with the inode_init_security hook conventions, i.e. return -EOPNOTSUPP if it is not setting an xattr. EVM is a bit tricky, because xattrs is both an input and an output. If it was just output, EVM should have returned zero if xattrs is NULL. But, since xattrs is also input, EVM is unable to do its calculations, so return -EOPNOTSUPP and handle this error in security_inode_init_security(). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- include/linux/evm.h | 14 ++++++++------ security/integrity/evm/evm_main.c | 18 +++++++++++------- security/security.c | 6 +++--- 3 files changed, 22 insertions(+), 16 deletions(-)
Comments
On Wed, Mar 29, 2023 at 9:05 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > Change the evm_inode_init_security() definition to align with the LSM > infrastructure. Keep the existing behavior of including in the HMAC > calculation only the first xattr provided by LSMs. > > Changing the evm_inode_init_security() definition requires passing the > xattr array allocated by security_inode_init_security(), and the number of > xattrs filled by previously invoked LSMs. > > Use the newly introduced lsm_find_xattr_slot() to position EVM correctly in > the xattrs array, like a regular LSM, and to increment the number of filled > slots. For now, the LSM infrastructure allocates enough xattrs slots to > store the EVM xattr, without using the reservation mechanism. > > Finally, make evm_inode_init_security() return value compatible with the > inode_init_security hook conventions, i.e. return -EOPNOTSUPP if it is not > setting an xattr. > > EVM is a bit tricky, because xattrs is both an input and an output. If it > was just output, EVM should have returned zero if xattrs is NULL. But, > since xattrs is also input, EVM is unable to do its calculations, so return > -EOPNOTSUPP and handle this error in security_inode_init_security(). I don't quite understand why EVM would return EOPNOTSUPP if it is enabled but there are not xattrs to measure. It seems like EVM should return success/0 in the no-xattr case; there were no xattrs to measure, so it succeeded in measuring nothing. Am I missing something? > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- > include/linux/evm.h | 14 ++++++++------ > security/integrity/evm/evm_main.c | 18 +++++++++++------- > security/security.c | 6 +++--- > 3 files changed, 22 insertions(+), 16 deletions(-) > > diff --git a/include/linux/evm.h b/include/linux/evm.h > index 7dc1ee74169..3c0e8591b69 100644 > --- a/include/linux/evm.h > +++ b/include/linux/evm.h > @@ -56,9 +56,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, > { > return evm_inode_post_setxattr(dentry, acl_name, NULL, 0); > } > -extern int evm_inode_init_security(struct inode *inode, > - const struct xattr *xattr_array, > - struct xattr *evm); > +extern int evm_inode_init_security(struct inode *inode, struct inode *dir, > + const struct qstr *qstr, > + struct xattr *xattrs, > + int *num_filled_xattrs); > extern bool evm_revalidate_status(const char *xattr_name); > extern int evm_protected_xattr_if_enabled(const char *req_xattr_name); > extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, > @@ -157,9 +158,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, > return; > } > > -static inline int evm_inode_init_security(struct inode *inode, > - const struct xattr *xattr_array, > - struct xattr *evm) > +static inline int evm_inode_init_security(struct inode *inode, struct inode *dir, > + const struct qstr *qstr, > + struct xattr *xattrs, > + int *num_filled_xattrs) > { > return 0; > } > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c > index cf24c525558..9e75759150c 100644 > --- a/security/integrity/evm/evm_main.c > +++ b/security/integrity/evm/evm_main.c > @@ -21,6 +21,7 @@ > #include <linux/evm.h> > #include <linux/magic.h> > #include <linux/posix_acl_xattr.h> > +#include <linux/lsm_hooks.h> > > #include <crypto/hash.h> > #include <crypto/hash_info.h> > @@ -864,23 +865,26 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) > /* > * evm_inode_init_security - initializes security.evm HMAC value > */ > -int evm_inode_init_security(struct inode *inode, > - const struct xattr *lsm_xattr, > - struct xattr *evm_xattr) > +int evm_inode_init_security(struct inode *inode, struct inode *dir, > + const struct qstr *qstr, struct xattr *xattrs, > + int *num_filled_xattrs) > { > struct evm_xattr *xattr_data; > + struct xattr *evm_xattr; > int rc; > > - if (!(evm_initialized & EVM_INIT_HMAC) || > - !evm_protected_xattr(lsm_xattr->name)) > - return 0; > + if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs || > + !evm_protected_xattr(xattrs->name)) > + return -EOPNOTSUPP; > + > + evm_xattr = lsm_find_xattr_slot(xattrs, num_filled_xattrs); > > xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); > if (!xattr_data) > return -ENOMEM; > > xattr_data->data.type = EVM_XATTR_HMAC; > - rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); > + rc = evm_init_hmac(inode, xattrs, xattr_data->digest); > if (rc < 0) > goto out; > > diff --git a/security/security.c b/security/security.c > index be33d643a81..22ab4fb7ebf 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -1674,9 +1674,9 @@ int security_inode_init_security(struct inode *inode, struct inode *dir, > if (!num_filled_xattrs) > goto out; > > - ret = evm_inode_init_security(inode, new_xattrs, > - new_xattrs + num_filled_xattrs); > - if (ret) > + ret = evm_inode_init_security(inode, dir, qstr, new_xattrs, > + &num_filled_xattrs); > + if (ret && ret != -EOPNOTSUPP) > goto out; > ret = initxattrs(inode, new_xattrs, fs_data); > out: > -- > 2.25.1 >
On Thu, 2023-03-30 at 18:55 -0400, Paul Moore wrote: > On Wed, Mar 29, 2023 at 9:05 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > Change the evm_inode_init_security() definition to align with the LSM > > infrastructure. Keep the existing behavior of including in the HMAC > > calculation only the first xattr provided by LSMs. > > > > Changing the evm_inode_init_security() definition requires passing the > > xattr array allocated by security_inode_init_security(), and the number of > > xattrs filled by previously invoked LSMs. > > > > Use the newly introduced lsm_find_xattr_slot() to position EVM correctly in > > the xattrs array, like a regular LSM, and to increment the number of filled > > slots. For now, the LSM infrastructure allocates enough xattrs slots to > > store the EVM xattr, without using the reservation mechanism. > > > > Finally, make evm_inode_init_security() return value compatible with the > > inode_init_security hook conventions, i.e. return -EOPNOTSUPP if it is not > > setting an xattr. > > > > EVM is a bit tricky, because xattrs is both an input and an output. If it > > was just output, EVM should have returned zero if xattrs is NULL. But, > > since xattrs is also input, EVM is unable to do its calculations, so return > > -EOPNOTSUPP and handle this error in security_inode_init_security(). > > I don't quite understand why EVM would return EOPNOTSUPP if it is > enabled but there are not xattrs to measure. It seems like EVM should > return success/0 in the no-xattr case; there were no xattrs to > measure, so it succeeded in measuring nothing. Am I missing > something? From a very quick look at what other LSMs do, it seems that they return zero even if they are not initialized. So, it makes sense to return zero also here. Thanks Roberto > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > --- > > include/linux/evm.h | 14 ++++++++------ > > security/integrity/evm/evm_main.c | 18 +++++++++++------- > > security/security.c | 6 +++--- > > 3 files changed, 22 insertions(+), 16 deletions(-) > > > > diff --git a/include/linux/evm.h b/include/linux/evm.h > > index 7dc1ee74169..3c0e8591b69 100644 > > --- a/include/linux/evm.h > > +++ b/include/linux/evm.h > > @@ -56,9 +56,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, > > { > > return evm_inode_post_setxattr(dentry, acl_name, NULL, 0); > > } > > -extern int evm_inode_init_security(struct inode *inode, > > - const struct xattr *xattr_array, > > - struct xattr *evm); > > +extern int evm_inode_init_security(struct inode *inode, struct inode *dir, > > + const struct qstr *qstr, > > + struct xattr *xattrs, > > + int *num_filled_xattrs); > > extern bool evm_revalidate_status(const char *xattr_name); > > extern int evm_protected_xattr_if_enabled(const char *req_xattr_name); > > extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, > > @@ -157,9 +158,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, > > return; > > } > > > > -static inline int evm_inode_init_security(struct inode *inode, > > - const struct xattr *xattr_array, > > - struct xattr *evm) > > +static inline int evm_inode_init_security(struct inode *inode, struct inode *dir, > > + const struct qstr *qstr, > > + struct xattr *xattrs, > > + int *num_filled_xattrs) > > { > > return 0; > > } > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c > > index cf24c525558..9e75759150c 100644 > > --- a/security/integrity/evm/evm_main.c > > +++ b/security/integrity/evm/evm_main.c > > @@ -21,6 +21,7 @@ > > #include <linux/evm.h> > > #include <linux/magic.h> > > #include <linux/posix_acl_xattr.h> > > +#include <linux/lsm_hooks.h> > > > > #include <crypto/hash.h> > > #include <crypto/hash_info.h> > > @@ -864,23 +865,26 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) > > /* > > * evm_inode_init_security - initializes security.evm HMAC value > > */ > > -int evm_inode_init_security(struct inode *inode, > > - const struct xattr *lsm_xattr, > > - struct xattr *evm_xattr) > > +int evm_inode_init_security(struct inode *inode, struct inode *dir, > > + const struct qstr *qstr, struct xattr *xattrs, > > + int *num_filled_xattrs) > > { > > struct evm_xattr *xattr_data; > > + struct xattr *evm_xattr; > > int rc; > > > > - if (!(evm_initialized & EVM_INIT_HMAC) || > > - !evm_protected_xattr(lsm_xattr->name)) > > - return 0; > > + if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs || > > + !evm_protected_xattr(xattrs->name)) > > + return -EOPNOTSUPP; > > + > > + evm_xattr = lsm_find_xattr_slot(xattrs, num_filled_xattrs); > > > > xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); > > if (!xattr_data) > > return -ENOMEM; > > > > xattr_data->data.type = EVM_XATTR_HMAC; > > - rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); > > + rc = evm_init_hmac(inode, xattrs, xattr_data->digest); > > if (rc < 0) > > goto out; > > > > diff --git a/security/security.c b/security/security.c > > index be33d643a81..22ab4fb7ebf 100644 > > --- a/security/security.c > > +++ b/security/security.c > > @@ -1674,9 +1674,9 @@ int security_inode_init_security(struct inode *inode, struct inode *dir, > > if (!num_filled_xattrs) > > goto out; > > > > - ret = evm_inode_init_security(inode, new_xattrs, > > - new_xattrs + num_filled_xattrs); > > - if (ret) > > + ret = evm_inode_init_security(inode, dir, qstr, new_xattrs, > > + &num_filled_xattrs); > > + if (ret && ret != -EOPNOTSUPP) > > goto out; > > ret = initxattrs(inode, new_xattrs, fs_data); > > out: > > -- > > 2.25.1 > > > >
On Fri, 2023-03-31 at 09:32 +0200, Roberto Sassu wrote: > On Thu, 2023-03-30 at 18:55 -0400, Paul Moore wrote: > > On Wed, Mar 29, 2023 at 9:05 AM Roberto Sassu > > <roberto.sassu@huaweicloud.com> wrote: > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > Change the evm_inode_init_security() definition to align with the LSM > > > infrastructure. Keep the existing behavior of including in the HMAC > > > calculation only the first xattr provided by LSMs. > > > > > > Changing the evm_inode_init_security() definition requires passing the > > > xattr array allocated by security_inode_init_security(), and the number of > > > xattrs filled by previously invoked LSMs. > > > > > > Use the newly introduced lsm_find_xattr_slot() to position EVM correctly in > > > the xattrs array, like a regular LSM, and to increment the number of filled > > > slots. For now, the LSM infrastructure allocates enough xattrs slots to > > > store the EVM xattr, without using the reservation mechanism. > > > > > > Finally, make evm_inode_init_security() return value compatible with the > > > inode_init_security hook conventions, i.e. return -EOPNOTSUPP if it is not > > > setting an xattr. > > > > > > EVM is a bit tricky, because xattrs is both an input and an output. If it > > > was just output, EVM should have returned zero if xattrs is NULL. But, > > > since xattrs is also input, EVM is unable to do its calculations, so return > > > -EOPNOTSUPP and handle this error in security_inode_init_security(). > > > > I don't quite understand why EVM would return EOPNOTSUPP if it is > > enabled but there are not xattrs to measure. It seems like EVM should > > return success/0 in the no-xattr case; there were no xattrs to > > measure, so it succeeded in measuring nothing. Am I missing > > something? > > From a very quick look at what other LSMs do, it seems that they return > zero even if they are not initialized. > > So, it makes sense to return zero also here. Oh, actually there was a reason to do that. If an LSM does not wish to provide an xattr, it should return -EOPNOTSUPP. As we are not checking this convention anymore, it is probably fine to return zero. I already made the change, will send the new version shortly. Thanks Roberto > Thanks > > Roberto > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > --- > > > include/linux/evm.h | 14 ++++++++------ > > > security/integrity/evm/evm_main.c | 18 +++++++++++------- > > > security/security.c | 6 +++--- > > > 3 files changed, 22 insertions(+), 16 deletions(-) > > > > > > diff --git a/include/linux/evm.h b/include/linux/evm.h > > > index 7dc1ee74169..3c0e8591b69 100644 > > > --- a/include/linux/evm.h > > > +++ b/include/linux/evm.h > > > @@ -56,9 +56,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, > > > { > > > return evm_inode_post_setxattr(dentry, acl_name, NULL, 0); > > > } > > > -extern int evm_inode_init_security(struct inode *inode, > > > - const struct xattr *xattr_array, > > > - struct xattr *evm); > > > +extern int evm_inode_init_security(struct inode *inode, struct inode *dir, > > > + const struct qstr *qstr, > > > + struct xattr *xattrs, > > > + int *num_filled_xattrs); > > > extern bool evm_revalidate_status(const char *xattr_name); > > > extern int evm_protected_xattr_if_enabled(const char *req_xattr_name); > > > extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, > > > @@ -157,9 +158,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, > > > return; > > > } > > > > > > -static inline int evm_inode_init_security(struct inode *inode, > > > - const struct xattr *xattr_array, > > > - struct xattr *evm) > > > +static inline int evm_inode_init_security(struct inode *inode, struct inode *dir, > > > + const struct qstr *qstr, > > > + struct xattr *xattrs, > > > + int *num_filled_xattrs) > > > { > > > return 0; > > > } > > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c > > > index cf24c525558..9e75759150c 100644 > > > --- a/security/integrity/evm/evm_main.c > > > +++ b/security/integrity/evm/evm_main.c > > > @@ -21,6 +21,7 @@ > > > #include <linux/evm.h> > > > #include <linux/magic.h> > > > #include <linux/posix_acl_xattr.h> > > > +#include <linux/lsm_hooks.h> > > > > > > #include <crypto/hash.h> > > > #include <crypto/hash_info.h> > > > @@ -864,23 +865,26 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) > > > /* > > > * evm_inode_init_security - initializes security.evm HMAC value > > > */ > > > -int evm_inode_init_security(struct inode *inode, > > > - const struct xattr *lsm_xattr, > > > - struct xattr *evm_xattr) > > > +int evm_inode_init_security(struct inode *inode, struct inode *dir, > > > + const struct qstr *qstr, struct xattr *xattrs, > > > + int *num_filled_xattrs) > > > { > > > struct evm_xattr *xattr_data; > > > + struct xattr *evm_xattr; > > > int rc; > > > > > > - if (!(evm_initialized & EVM_INIT_HMAC) || > > > - !evm_protected_xattr(lsm_xattr->name)) > > > - return 0; > > > + if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs || > > > + !evm_protected_xattr(xattrs->name)) > > > + return -EOPNOTSUPP; > > > + > > > + evm_xattr = lsm_find_xattr_slot(xattrs, num_filled_xattrs); > > > > > > xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); > > > if (!xattr_data) > > > return -ENOMEM; > > > > > > xattr_data->data.type = EVM_XATTR_HMAC; > > > - rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); > > > + rc = evm_init_hmac(inode, xattrs, xattr_data->digest); > > > if (rc < 0) > > > goto out; > > > > > > diff --git a/security/security.c b/security/security.c > > > index be33d643a81..22ab4fb7ebf 100644 > > > --- a/security/security.c > > > +++ b/security/security.c > > > @@ -1674,9 +1674,9 @@ int security_inode_init_security(struct inode *inode, struct inode *dir, > > > if (!num_filled_xattrs) > > > goto out; > > > > > > - ret = evm_inode_init_security(inode, new_xattrs, > > > - new_xattrs + num_filled_xattrs); > > > - if (ret) > > > + ret = evm_inode_init_security(inode, dir, qstr, new_xattrs, > > > + &num_filled_xattrs); > > > + if (ret && ret != -EOPNOTSUPP) > > > goto out; > > > ret = initxattrs(inode, new_xattrs, fs_data); > > > out: > > > -- > > > 2.25.1 > > >
On Fri, 2023-03-31 at 14:18 +0200, Roberto Sassu wrote: > On Fri, 2023-03-31 at 09:32 +0200, Roberto Sassu wrote: > > On Thu, 2023-03-30 at 18:55 -0400, Paul Moore wrote: > > > On Wed, Mar 29, 2023 at 9:05 AM Roberto Sassu > > > <roberto.sassu@huaweicloud.com> wrote: > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > Change the evm_inode_init_security() definition to align with the LSM > > > > infrastructure. Keep the existing behavior of including in the HMAC > > > > calculation only the first xattr provided by LSMs. > > > > > > > > Changing the evm_inode_init_security() definition requires passing the > > > > xattr array allocated by security_inode_init_security(), and the number of > > > > xattrs filled by previously invoked LSMs. > > > > > > > > Use the newly introduced lsm_find_xattr_slot() to position EVM correctly in > > > > the xattrs array, like a regular LSM, and to increment the number of filled > > > > slots. For now, the LSM infrastructure allocates enough xattrs slots to > > > > store the EVM xattr, without using the reservation mechanism. > > > > > > > > Finally, make evm_inode_init_security() return value compatible with the > > > > inode_init_security hook conventions, i.e. return -EOPNOTSUPP if it is not > > > > setting an xattr. > > > > > > > > EVM is a bit tricky, because xattrs is both an input and an output. If it > > > > was just output, EVM should have returned zero if xattrs is NULL. But, > > > > since xattrs is also input, EVM is unable to do its calculations, so return > > > > -EOPNOTSUPP and handle this error in security_inode_init_security(). > > > > > > I don't quite understand why EVM would return EOPNOTSUPP if it is > > > enabled but there are not xattrs to measure. It seems like EVM should > > > return success/0 in the no-xattr case; there were no xattrs to > > > measure, so it succeeded in measuring nothing. Am I missing > > > something? > > > > From a very quick look at what other LSMs do, it seems that they return > > zero even if they are not initialized. > > > > So, it makes sense to return zero also here. > > Oh, actually there was a reason to do that. If an LSM does not wish to > provide an xattr, it should return -EOPNOTSUPP. In general, the original purpose of -EOPNOTSUPP was to indicate that the filesystem itself did not support security xattrs. This can be seen in evm_verify_hmac(), which returns different values (e.g. INTEGRITY_NOLABEL, INTEGRITY_NOXATTRS, INTEGRITY_UNKNOWN) based on whether security.evm or any protected security xattrs exist. > > As we are not checking this convention anymore, it is probably fine to > return zero. I already made the change, will send the new version > shortly. For security xattr initialization, agreed. Mimi > > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > --- > > > > include/linux/evm.h | 14 ++++++++------ > > > > security/integrity/evm/evm_main.c | 18 +++++++++++------- > > > > security/security.c | 6 +++--- > > > > 3 files changed, 22 insertions(+), 16 deletions(-) > > > > > > > > diff --git a/include/linux/evm.h b/include/linux/evm.h > > > > index 7dc1ee74169..3c0e8591b69 100644 > > > > --- a/include/linux/evm.h > > > > +++ b/include/linux/evm.h > > > > @@ -56,9 +56,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, > > > > { > > > > return evm_inode_post_setxattr(dentry, acl_name, NULL, 0); > > > > } > > > > -extern int evm_inode_init_security(struct inode *inode, > > > > - const struct xattr *xattr_array, > > > > - struct xattr *evm); > > > > +extern int evm_inode_init_security(struct inode *inode, struct inode *dir, > > > > + const struct qstr *qstr, > > > > + struct xattr *xattrs, > > > > + int *num_filled_xattrs); > > > > extern bool evm_revalidate_status(const char *xattr_name); > > > > extern int evm_protected_xattr_if_enabled(const char *req_xattr_name); > > > > extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, > > > > @@ -157,9 +158,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, > > > > return; > > > > } > > > > > > > > -static inline int evm_inode_init_security(struct inode *inode, > > > > - const struct xattr *xattr_array, > > > > - struct xattr *evm) > > > > +static inline int evm_inode_init_security(struct inode *inode, struct inode *dir, > > > > + const struct qstr *qstr, > > > > + struct xattr *xattrs, > > > > + int *num_filled_xattrs) > > > > { > > > > return 0; > > > > } > > > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c > > > > index cf24c525558..9e75759150c 100644 > > > > --- a/security/integrity/evm/evm_main.c > > > > +++ b/security/integrity/evm/evm_main.c > > > > @@ -21,6 +21,7 @@ > > > > #include <linux/evm.h> > > > > #include <linux/magic.h> > > > > #include <linux/posix_acl_xattr.h> > > > > +#include <linux/lsm_hooks.h> > > > > > > > > #include <crypto/hash.h> > > > > #include <crypto/hash_info.h> > > > > @@ -864,23 +865,26 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) > > > > /* > > > > * evm_inode_init_security - initializes security.evm HMAC value > > > > */ > > > > -int evm_inode_init_security(struct inode *inode, > > > > - const struct xattr *lsm_xattr, > > > > - struct xattr *evm_xattr) > > > > +int evm_inode_init_security(struct inode *inode, struct inode *dir, > > > > + const struct qstr *qstr, struct xattr *xattrs, > > > > + int *num_filled_xattrs) > > > > { > > > > struct evm_xattr *xattr_data; > > > > + struct xattr *evm_xattr; > > > > int rc; > > > > > > > > - if (!(evm_initialized & EVM_INIT_HMAC) || > > > > - !evm_protected_xattr(lsm_xattr->name)) > > > > - return 0; > > > > + if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs || > > > > + !evm_protected_xattr(xattrs->name)) > > > > + return -EOPNOTSUPP; > > > > + > > > > + evm_xattr = lsm_find_xattr_slot(xattrs, num_filled_xattrs); > > > > > > > > xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); > > > > if (!xattr_data) > > > > return -ENOMEM; > > > > > > > > xattr_data->data.type = EVM_XATTR_HMAC; > > > > - rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); > > > > + rc = evm_init_hmac(inode, xattrs, xattr_data->digest); > > > > if (rc < 0) > > > > goto out; > > > > > > > > diff --git a/security/security.c b/security/security.c > > > > index be33d643a81..22ab4fb7ebf 100644 > > > > --- a/security/security.c > > > > +++ b/security/security.c > > > > @@ -1674,9 +1674,9 @@ int security_inode_init_security(struct inode *inode, struct inode *dir, > > > > if (!num_filled_xattrs) > > > > goto out; > > > > > > > > - ret = evm_inode_init_security(inode, new_xattrs, > > > > - new_xattrs + num_filled_xattrs); > > > > - if (ret) > > > > + ret = evm_inode_init_security(inode, dir, qstr, new_xattrs, > > > > + &num_filled_xattrs); > > > > + if (ret && ret != -EOPNOTSUPP) > > > > goto out; > > > > ret = initxattrs(inode, new_xattrs, fs_data); > > > > out: > > > > -- > > > > 2.25.1 > > > > >
diff --git a/include/linux/evm.h b/include/linux/evm.h index 7dc1ee74169..3c0e8591b69 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -56,9 +56,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, { return evm_inode_post_setxattr(dentry, acl_name, NULL, 0); } -extern int evm_inode_init_security(struct inode *inode, - const struct xattr *xattr_array, - struct xattr *evm); +extern int evm_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, + struct xattr *xattrs, + int *num_filled_xattrs); extern bool evm_revalidate_status(const char *xattr_name); extern int evm_protected_xattr_if_enabled(const char *req_xattr_name); extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, @@ -157,9 +158,10 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, return; } -static inline int evm_inode_init_security(struct inode *inode, - const struct xattr *xattr_array, - struct xattr *evm) +static inline int evm_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, + struct xattr *xattrs, + int *num_filled_xattrs) { return 0; } diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index cf24c525558..9e75759150c 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -21,6 +21,7 @@ #include <linux/evm.h> #include <linux/magic.h> #include <linux/posix_acl_xattr.h> +#include <linux/lsm_hooks.h> #include <crypto/hash.h> #include <crypto/hash_info.h> @@ -864,23 +865,26 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) /* * evm_inode_init_security - initializes security.evm HMAC value */ -int evm_inode_init_security(struct inode *inode, - const struct xattr *lsm_xattr, - struct xattr *evm_xattr) +int evm_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, struct xattr *xattrs, + int *num_filled_xattrs) { struct evm_xattr *xattr_data; + struct xattr *evm_xattr; int rc; - if (!(evm_initialized & EVM_INIT_HMAC) || - !evm_protected_xattr(lsm_xattr->name)) - return 0; + if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs || + !evm_protected_xattr(xattrs->name)) + return -EOPNOTSUPP; + + evm_xattr = lsm_find_xattr_slot(xattrs, num_filled_xattrs); xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); if (!xattr_data) return -ENOMEM; xattr_data->data.type = EVM_XATTR_HMAC; - rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); + rc = evm_init_hmac(inode, xattrs, xattr_data->digest); if (rc < 0) goto out; diff --git a/security/security.c b/security/security.c index be33d643a81..22ab4fb7ebf 100644 --- a/security/security.c +++ b/security/security.c @@ -1674,9 +1674,9 @@ int security_inode_init_security(struct inode *inode, struct inode *dir, if (!num_filled_xattrs) goto out; - ret = evm_inode_init_security(inode, new_xattrs, - new_xattrs + num_filled_xattrs); - if (ret) + ret = evm_inode_init_security(inode, dir, qstr, new_xattrs, + &num_filled_xattrs); + if (ret && ret != -EOPNOTSUPP) goto out; ret = initxattrs(inode, new_xattrs, fs_data); out: