From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Friday, August 21, 2020 10:15 PM
Hi Roberto,

On Thu, 2020-06-18 at 18:01 +0200, Roberto Sassu wrote:

quoted

Granting metadata write is safe if the HMAC key is not loaded, as it won't
let an attacker obtain a valid HMAC from corrupted xattrs.

evm_write_key()

quoted

however does not allow it if any key is loaded, including a public key,
which should not be a problem.

Why is the existing hebavior a problem?  What is the problem being
solved?

Hi Mimi

currently it is not possible to set EVM_ALLOW_METADATA_WRITES when
only a public key is loaded and the HMAC key is not. The patch removes
this limitation.

quoted

This patch allows setting EVM_ALLOW_METADATA_WRITES if the

EVM_INIT_HMAC

quoted

flag is not set.

Cc: stable@vger.kernel.org # 4.16.x
Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of

EVM-protected metadata")

quoted

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/evm/evm_secfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/evm/evm_secfs.c

b/security/integrity/evm/evm_secfs.c

quoted

index cfc3075769bb..92fe26ace797 100644

--- a/security/integrity/evm/evm_secfs.c
+++ b/security/integrity/evm/evm_secfs.c

@@ -84,7 +84,7 @@ static ssize_t evm_write_key(struct file *file, const

char __user *buf,

quoted

 	 * keys are loaded.
 	 */
 	if ((i & EVM_ALLOW_METADATA_WRITES) &&
-	    ((evm_initialized & EVM_KEY_MASK) != 0) &&
+	    ((evm_initialized & EVM_INIT_HMAC) != 0) &&
 	    !(evm_initialized & EVM_ALLOW_METADATA_WRITES))
 		return -EPERM;

quoted

Documentation/ABI/testing/evm needs to be updated as well.

Ok.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

thanks,

Mimi