On Thu, 2021-06-17 at 23:18 -0400, Paul Moore wrote:

On Thu, Jun 17, 2021 at 11:28 AM Mimi Zohar [off-list ref] wrote:

quoted

On Thu, 2021-06-17 at 07:09 +0000, Roberto Sassu wrote:

...

quoted

quoted

An alternative would be to do the EVM verification twice if the
first time didn't succeed (with vfs_getxattr_alloc() and with the
new function that behaves like vfs_getxattr()).

Unfortunately, I don't see an alternative.

... and while unfortunate, the impact should be non-existant if you
are using the right tools to label files or ensuring that you are
formatting labels properly if doing it by hand.

Handling a corner case is good, but I wouldn't add a lot of code
complexity trying to optimize it.

From userspace it's really difficult to understand the EVM signature
verification failure is due to the missing NULL.

Roberto, I just pushed the "evm: output EVM digest calculation info"
patch to the next-integrity-testing branch, which includes some
debugging.   Instead of this patch, which returns the raw xattr data,
how about adding additional debugging info in evm_calc_hmac_or_hash()
indicating the size discrepancy between the raw xattr and the LSM
returned xattr?

thanks,

Mimi