evm: Introduce evm_status_revalidate()
hulk inclusion category: feature feature: IMA Digest Lists extension bugzilla: 46797 --------------------------- When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on metadata. Its main purpose is to allow users to freely set metadata when it is protected by a portable signature, until an HMAC key is loaded. However, callers of evm_verifyxattr() are not notified about metadata changes and continue to rely on the last status returned by the function. For example IMA, since it caches the appraisal result, will not call again evm_verifyxattr() until the appraisal flags are cleared, and will grant access to the file even if there was a metadata operation that made the portable signature invalid. This patch introduces evm_status_revalidate(), which callers of evm_verifyxattr() can use in their xattr post hooks to determine whether re-validation is necessary and to do the proper actions. IMA calls it in its xattr post hooks to reset the appraisal flags, so that the EVM status is re-evaluated after a metadata operation. Lastly, this patch also adds a call to evm_reset_status() in evm_inode_post_setattr() to invalidate the cached EVM status after a setattr operation. Signed-off-by:Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by:
Loading
Please sign in to comment