Re: [RFC] EVM: Add support for portable signature format

[RFC] EVM: Add support for portable signature format · Matthew Garrett <hidden> · 2017-10-26
Re: [RFC] EVM: Add support for portable signature format · Mikhail Kurinnoi <hidden> · 2017-10-26
Re: [RFC] EVM: Add support for portable signature format · Matthew Garrett <hidden> · 2017-10-26
Re: [RFC] EVM: Add support for portable signature format · Mikhail Kurinnoi <hidden> · 2017-10-26
Re: [RFC] EVM: Add support for portable signature format · Mimi Zohar <hidden> · 2017-10-26
Re: [RFC] EVM: Add support for portable signature format · Matthew Garrett <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Mimi Zohar <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Matthew Garrett <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Mimi Zohar <hidden> · 2017-10-30
RE: [RFC] EVM: Add support for portable signature format · Dmitry Kasatkin <hidden> · 2017-10-27
Re: [RFC] EVM: Add support for portable signature format · Mimi Zohar <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Matthew Garrett <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Mimi Zohar <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Matthew Garrett <hidden> · 2017-10-30
RE: [RFC] EVM: Add support for portable signature format · Dmitry Kasatkin <hidden> · 2017-10-27
Re: [RFC] EVM: Add support for portable signature format · Mimi Zohar <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Matthew Garrett <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Mimi Zohar <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Matthew Garrett <hidden> · 2017-10-30
Re: [RFC] EVM: Add support for portable signature format · Matthew Garrett <hidden> · 2017-11-01
Re: [RFC] EVM: Add support for portable signature format · Mimi Zohar <hidden> · 2017-11-01

From: Mikhail Kurinnoi <hidden>
Date: 2017-10-26 09:03:33

? Thu, 26 Oct 2017 01:31:44 -0700
Matthew Garrett [off-list ref] ?????:

quoted hunk ↗ jump to hunk

@@ -317,7 +319,7 @@ void ima_update_xattr(struct integrity_iint_cache

*iint, struct file *file) int rc = 0;
 
 	/* do not collect and update hash for digital signatures */
-	if (iint->flags & IMA_DIGSIG)
+	if (iint->flags & IMA_DIGSIG || iint->flags &
EVM_IMMUTABLE_DIGSIG) return;

Isn't this mean, we already changed files data, and we just don't allow
IMA xattr update? This file will not pass integrity verification
next time.

I thought, the idea was prevent data changes, and in this way prevent
IMA xattr update.


-- 
Best regards,
Mikhail Kurinnoi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help