mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-14 06:35:12 +00:00
a56df5d5b7
The security_inode_post_setxattr() hook is used by security modules to
update their own security.* xattrs. Consequently none of the security
modules operate on posix acls. So we don't need an additional security
hook when post setting posix acls.
However, the integrity subsystem wants to be informed about posix acl
changes in order to reset the EVM status flag.
-> evm_inode_post_setxattr()
-> evm_update_evmxattr()
-> evm_calc_hmac()
-> evm_calc_hmac_or_hash()
and evm_cacl_hmac_or_hash() walks the global list of protected xattr
names evm_config_xattrnames. This global list can be modified via
/sys/security/integrity/evm/evm_xattrs. The write to "evm_xattrs" is
restricted to security.* xattrs and the default xattrs in
evm_config_xattrnames only contains security.* xattrs as well.
So the actual value for posix acls is currently completely irrelevant
for evm during evm_inode_post_setxattr() and frankly it should stay that
way in the future to not cause the vfs any more headaches. But if the
actual posix acl values matter then evm shouldn't operate on the binary
void blob and try to hack around in the uapi struct anyway. Instead it
should then in the future add a dedicated hook which takes a struct
posix_acl argument passing the posix acls in the proper vfs format.
For now it is sufficient to make evm_inode_post_set_acl() a wrapper
around evm_inode_post_setxattr() not passing any actual values down.
This will cause the hashes to be updated as before.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
172 lines
4.5 KiB
C
172 lines
4.5 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* evm.h
|
|
*
|
|
* Copyright (c) 2009 IBM Corporation
|
|
* Author: Mimi Zohar <zohar@us.ibm.com>
|
|
*/
|
|
|
|
#ifndef _LINUX_EVM_H
|
|
#define _LINUX_EVM_H
|
|
|
|
#include <linux/integrity.h>
|
|
#include <linux/xattr.h>
|
|
|
|
struct integrity_iint_cache;
|
|
|
|
#ifdef CONFIG_EVM
|
|
extern int evm_set_key(void *key, size_t keylen);
|
|
extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
|
|
const char *xattr_name,
|
|
void *xattr_value,
|
|
size_t xattr_value_len,
|
|
struct integrity_iint_cache *iint);
|
|
extern int evm_inode_setattr(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, struct iattr *attr);
|
|
extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);
|
|
extern int evm_inode_setxattr(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, const char *name,
|
|
const void *value, size_t size);
|
|
extern void evm_inode_post_setxattr(struct dentry *dentry,
|
|
const char *xattr_name,
|
|
const void *xattr_value,
|
|
size_t xattr_value_len);
|
|
extern int evm_inode_removexattr(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, const char *xattr_name);
|
|
extern void evm_inode_post_removexattr(struct dentry *dentry,
|
|
const char *xattr_name);
|
|
extern int evm_inode_set_acl(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, const char *acl_name,
|
|
struct posix_acl *kacl);
|
|
static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry,
|
|
const char *acl_name)
|
|
{
|
|
return evm_inode_set_acl(mnt_userns, dentry, acl_name, NULL);
|
|
}
|
|
static inline void evm_inode_post_set_acl(struct dentry *dentry,
|
|
const char *acl_name,
|
|
struct posix_acl *kacl)
|
|
{
|
|
return evm_inode_post_setxattr(dentry, acl_name, NULL, 0);
|
|
}
|
|
extern int evm_inode_init_security(struct inode *inode,
|
|
const struct xattr *xattr_array,
|
|
struct xattr *evm);
|
|
extern bool evm_revalidate_status(const char *xattr_name);
|
|
extern int evm_protected_xattr_if_enabled(const char *req_xattr_name);
|
|
extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
|
|
int buffer_size, char type,
|
|
bool canonical_fmt);
|
|
#ifdef CONFIG_FS_POSIX_ACL
|
|
extern int posix_xattr_acl(const char *xattrname);
|
|
#else
|
|
static inline int posix_xattr_acl(const char *xattrname)
|
|
{
|
|
return 0;
|
|
}
|
|
#endif
|
|
#else
|
|
|
|
static inline int evm_set_key(void *key, size_t keylen)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
#ifdef CONFIG_INTEGRITY
|
|
static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
|
|
const char *xattr_name,
|
|
void *xattr_value,
|
|
size_t xattr_value_len,
|
|
struct integrity_iint_cache *iint)
|
|
{
|
|
return INTEGRITY_UNKNOWN;
|
|
}
|
|
#endif
|
|
|
|
static inline int evm_inode_setattr(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, struct iattr *attr)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
|
|
{
|
|
return;
|
|
}
|
|
|
|
static inline int evm_inode_setxattr(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, const char *name,
|
|
const void *value, size_t size)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline void evm_inode_post_setxattr(struct dentry *dentry,
|
|
const char *xattr_name,
|
|
const void *xattr_value,
|
|
size_t xattr_value_len)
|
|
{
|
|
return;
|
|
}
|
|
|
|
static inline int evm_inode_removexattr(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry,
|
|
const char *xattr_name)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline void evm_inode_post_removexattr(struct dentry *dentry,
|
|
const char *xattr_name)
|
|
{
|
|
return;
|
|
}
|
|
|
|
static inline int evm_inode_set_acl(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, const char *acl_name,
|
|
struct posix_acl *kacl)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry,
|
|
const char *acl_name)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline void evm_inode_post_set_acl(struct dentry *dentry,
|
|
const char *acl_name,
|
|
struct posix_acl *kacl)
|
|
{
|
|
return;
|
|
}
|
|
|
|
static inline int evm_inode_init_security(struct inode *inode,
|
|
const struct xattr *xattr_array,
|
|
struct xattr *evm)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline bool evm_revalidate_status(const char *xattr_name)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
static inline int evm_protected_xattr_if_enabled(const char *req_xattr_name)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
static inline int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
|
|
int buffer_size, char type,
|
|
bool canonical_fmt)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
#endif /* CONFIG_EVM */
|
|
#endif /* LINUX_EVM_H */
|