Commit 5926586f authored by Mimi Zohar's avatar Mimi Zohar
Browse files

ima: fix blocking of security.ima xattrs of unsupported algorithms 



Limit validating the hash algorithm to just security.ima xattr, not
the security.evm xattr or any of the protected EVM security xattrs,
nor posix acls.

Fixes: 50f742dd ("IMA: block writes of the security.ima xattr with unsupported algorithms")
Reported-by: default avatarChristian Brauner <brauner@kernel.org>
Acked-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 1c23f9e6

security/integrity/ima/ima_appraise.c

+8 −4
Original line number Diff line number Diff line
@@ -750,22 +750,26 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, 
	const struct evm_ima_xattr_data *xvalue = xattr_value;

	int digsig = 0;

	int result;

	int err;



	result = ima_protect_xattr(dentry, xattr_name, xattr_value,

				   xattr_value_len);

	if (result == 1) {

		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))

			return -EINVAL;



		err = validate_hash_algo(dentry, xvalue, xattr_value_len);

		if (err)

			return err;



		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);

	} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {

		digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);

	}

	if (result == 1 || evm_revalidate_status(xattr_name)) {

		result = validate_hash_algo(dentry, xvalue, xattr_value_len);

		if (result)

			return result;



		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);

		if (result == 1)

			result = 0;

	}

	return result;

}