On Tue, 2021-05-04 at 13:16 +0000, Roberto Sassu wrote:

quoted

From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Monday, May 3, 2021 4:35 PM
On Mon, 2021-05-03 at 14:15 +0000, Roberto Sassu wrote:

quoted

quoted

quoted

quoted

 	if (evm_status != INTEGRITY_PASS)
 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA,

d_backing_inode(dentry),

quoted

 				    dentry->d_name.name,

"appraise_metadata",

quoted

@@ -515,7 +535,8 @@ int evm_inode_setattr(struct dentry *dentry,

struct

quoted

iattr *attr)

quoted

 		return 0;
 	evm_status = evm_verify_current_integrity(dentry);
 	if ((evm_status == INTEGRITY_PASS) ||
-	    (evm_status == INTEGRITY_NOXATTRS))
+	    (evm_status == INTEGRITY_NOXATTRS) ||
+	    (evm_ignore_error_safe(evm_status)))

It would also remove the INTEGRITY_NOXATTRS test duplication here.

Ok.

Actually, it does not seem a duplication. Currently, INTEGRITY_NOXATTRS
is ignored also when the HMAC key is loaded.

The existing INTEGRITY_NOXATTRS exemption is more general and includes
the new case of when EVM HMAC is disabled.  The additional exemption is
only needed for INTEGRITY_NOLABEL, when EVM HMAC is disabled.

Unfortunately, evm_ignore_error_safe() is called by both evm_protect_xattr()
and evm_inode_setattr(). The former requires an exemption also for
INTEGRITY_NOXATTRS.

I would keep the function as it is. In the worst case, when the status is
INTEGRITY_NOXATTRS in evm_inode_setattr(), the function will not
be called.

Right, which is another reason for replacing evm_ignore_eror_safe()
with (is_)evm_hmac_disabled() and inlining the error tests.

thanks,

Mimi