mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-06 14:05:39 +00:00
ima: fix blocking of security.ima xattrs of unsupported algorithms
Limit validating the hash algorithm to just security.ima xattr, not
the security.evm xattr or any of the protected EVM security xattrs,
nor posix acls.
Fixes: 50f742dd91
("IMA: block writes of the security.ima xattr with unsupported algorithms")
Reported-by: Christian Brauner <brauner@kernel.org>
Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
parent
1c23f9e627
commit
5926586f29
@ -750,22 +750,26 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
|
||||
const struct evm_ima_xattr_data *xvalue = xattr_value;
|
||||
int digsig = 0;
|
||||
int result;
|
||||
int err;
|
||||
|
||||
result = ima_protect_xattr(dentry, xattr_name, xattr_value,
|
||||
xattr_value_len);
|
||||
if (result == 1) {
|
||||
if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
|
||||
return -EINVAL;
|
||||
|
||||
err = validate_hash_algo(dentry, xvalue, xattr_value_len);
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
|
||||
} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
|
||||
digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
|
||||
}
|
||||
if (result == 1 || evm_revalidate_status(xattr_name)) {
|
||||
result = validate_hash_algo(dentry, xvalue, xattr_value_len);
|
||||
if (result)
|
||||
return result;
|
||||
|
||||
ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
|
||||
if (result == 1)
|
||||
result = 0;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user