From patchwork Mon Jul 19 14:47:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 481101 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EDA6C07E95 for ; Mon, 19 Jul 2021 15:33:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EDB46610D2 for ; Mon, 19 Jul 2021 15:33:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244376AbhGSOwr (ORCPT ); Mon, 19 Jul 2021 10:52:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:42386 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344610AbhGSOtD (ORCPT ); Mon, 19 Jul 2021 10:49:03 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3657860241; Mon, 19 Jul 2021 15:29:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626708581; bh=xGf8nSOitxpurxwT4C5tDc5NICV04DNLDTlC7EnpJig=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Eg2rBkp8pGIeDzyqM8IrCgaJBWvpm1JDVPB1cy+7MfonE1gbV404CJeIG+/1Zx1Z8 OgPx4ec1ihlupxPQ9n0APXHzk/f6i5rDB/zg+iFtWdShCC5rmjzeUwe1nXnPkXfjdJ UuQIV+DYOomZZbr2R0kYys5DtCUuw2Ejd6pnm95I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Roberto Sassu , Mimi Zohar Subject: [PATCH 4.19 048/421] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Date: Mon, 19 Jul 2021 16:47:39 +0200 Message-Id: <20210719144947.890894790@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144946.310399455@linuxfoundation.org> References: <20210719144946.310399455@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Roberto Sassu commit 9eea2904292c2d8fa98df141d3bf7c41ec9dc1b5 upstream. evm_inode_init_security() requires an HMAC key to calculate the HMAC on initial xattrs provided by LSMs. However, it checks generically whether a key has been loaded, including also public keys, which is not correct as public keys are not suitable to calculate the HMAC. Originally, support for signature verification was introduced to verify a possibly immutable initial ram disk, when no new files are created, and to switch to HMAC for the root filesystem. By that time, an HMAC key should have been loaded and usable to calculate HMACs for new files. More recently support for requiring an HMAC key was removed from the kernel, so that signature verification can be used alone. Since this is a legitimate use case, evm_inode_init_security() should not return an error when no HMAC key has been loaded. This patch fixes this problem by replacing the evm_key_loaded() check with a check of the EVM_INIT_HMAC flag in evm_initialized. Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded") Signed-off-by: Roberto Sassu Cc: stable@vger.kernel.org # 4.5.x Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman --- security/integrity/evm/evm_main.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -523,7 +523,7 @@ void evm_inode_post_setattr(struct dentr } /* - * evm_inode_init_security - initializes security.evm + * evm_inode_init_security - initializes security.evm HMAC value */ int evm_inode_init_security(struct inode *inode, const struct xattr *lsm_xattr, @@ -532,7 +532,8 @@ int evm_inode_init_security(struct inode struct evm_ima_xattr_data *xattr_data; int rc; - if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) + if (!(evm_initialized & EVM_INIT_HMAC) || + !evm_protected_xattr(lsm_xattr->name)) return 0; xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);