kernel_optimize_test/security
Roberto Sassu 53124265fc evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
commit 9acc89d31f0c94c8e573ed61f3e4340bbd526d0c upstream.

EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to
temporarily disable metadata verification until all xattrs/attrs necessary
to verify an EVM portable signature are copied to the file. This flag is
cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is
calculated on unverified xattrs/attrs.

Currently EVM unnecessarily denies setting this flag if EVM is initialized
with a public key, which is not a concern as it cannot be used to trust
xattrs/attrs updates. This patch removes this limitation.

Fixes: ae1ba1676b ("EVM: Allow userland to permit modification of EVM-protected metadata")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org # 4.16.x
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-07-14 16:55:46 +02:00
..
apparmor treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
bpf bpf: Implement bpf_local_storage for inodes 2020-08-25 15:00:04 -07:00
integrity evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded 2021-07-14 16:55:46 +02:00
keys KEYS: trusted: Fix memory leak on object td 2021-05-19 10:12:50 +02:00
loadpin LSM: Add "contents" flag to kernel_read_file hook 2020-10-05 13:37:03 +02:00
lockdown Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2020-06-02 17:36:24 -07:00
safesetid LSM: SafeSetID: Fix warnings reported by test bot 2020-10-13 09:17:36 -07:00
selinux selinux: add proper NULL termination to the secclass_map permissions 2021-05-14 09:49:59 +02:00
smack smackfs: restrict bytes count in smackfs write functions 2021-03-07 12:34:05 +01:00
tomoyo tomoyo: recognize kernel threads correctly 2021-03-09 11:11:15 +01:00
yama task_work: cleanup notification modes 2020-10-17 15:05:30 -06:00
commoncap.c security: commoncap: fix -Wstringop-overread warning 2021-05-11 14:47:36 +02:00
device_cgroup.c device_cgroup: Fix RCU list debugging warning 2020-08-20 11:25:03 -07:00
inode.c
Kconfig Replace HTTP links with HTTPS ones: security 2020-08-06 12:00:05 -07:00
Kconfig.hardening security: allow using Clang's zero initialization for stack variables 2020-06-16 02:06:23 -07:00
lsm_audit.c dump_common_audit_data(): fix racy accesses to ->d_name 2021-01-19 18:27:29 +01:00
Makefile device_cgroup: Cleanup cgroup eBPF device filter code 2020-04-13 14:41:54 -04:00
min_addr.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
security.c LSM: Add "contents" flag to kernel_read_file hook 2020-10-05 13:37:03 +02:00