/** * evm_inode_removexattr - protect the EVM extended attribute * @dentry: pointer to the affected dentry * @xattr_name: pointer to the affected extended attribute name * * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that * the current value is valid. */ int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) { /* Policy permits modification of the protected xattrs even though * there's no HMAC key loaded */ if (evm_initialized & EVM_ALLOW_METADATA_WRITES) return 0; return evm_protect_xattr(dentry, xattr_name, NULL, 0); }
/** * evm_inode_removexattr - protect the EVM extended attribute * @dentry: pointer to the affected dentry * @xattr_name: pointer to the affected extended attribute name * * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that * the current value is valid. */ int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) { enum integrity_status evm_status; int ret; ret = evm_protect_xattr(dentry, xattr_name, NULL, 0); if (ret) return ret; evm_status = evm_verify_current_integrity(dentry); return evm_status == INTEGRITY_PASS ? 0 : -EPERM; }
/** * evm_inode_setxattr - protect the EVM extended attribute * @dentry: pointer to the affected dentry * @xattr_name: pointer to the affected extended attribute name * @xattr_value: pointer to the new extended attribute value * @xattr_value_len: pointer to the new extended attribute value length * * Before allowing the 'security.evm' protected xattr to be updated, * verify the existing value is valid. As only the kernel should have * access to the EVM encrypted key needed to calculate the HMAC, prevent * userspace from writing HMAC value. Writing 'security.evm' requires * requires CAP_SYS_ADMIN privileges. */ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { const struct evm_ima_xattr_data *xattr_data = xattr_value; if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { if (!xattr_value_len) return -EINVAL; if (xattr_data->type != EVM_IMA_XATTR_DIGSIG) return -EPERM; } return evm_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); }
/** * evm_inode_setxattr - protect the EVM extended attribute * @dentry: pointer to the affected dentry * @xattr_name: pointer to the affected extended attribute name * @xattr_value: pointer to the new extended attribute value * @xattr_value_len: pointer to the new extended attribute value length * * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that * the current value is valid. */ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { enum integrity_status evm_status; int ret; ret = evm_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); if (ret) return ret; evm_status = evm_verify_current_integrity(dentry); return evm_status == INTEGRITY_PASS ? 0 : -EPERM; }
/** * evm_inode_setxattr - protect the EVM extended attribute * @dentry: pointer to the affected dentry * @xattr_name: pointer to the affected extended attribute name * @xattr_value: pointer to the new extended attribute value * @xattr_value_len: pointer to the new extended attribute value length * * Before allowing the 'security.evm' protected xattr to be updated, * verify the existing value is valid. As only the kernel should have * access to the EVM encrypted key needed to calculate the HMAC, prevent * userspace from writing HMAC value. Writing 'security.evm' requires * requires CAP_SYS_ADMIN privileges. */ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { const struct evm_ima_xattr_data *xattr_data = xattr_value; /* Policy permits modification of the protected xattrs even though * there's no HMAC key loaded */ if (evm_initialized & EVM_ALLOW_METADATA_WRITES) return 0; if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { if (!xattr_value_len) return -EINVAL; if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) return -EPERM; } return evm_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); }
/** * evm_inode_removexattr - protect the EVM extended attribute * @dentry: pointer to the affected dentry * @xattr_name: pointer to the affected extended attribute name * * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that * the current value is valid. */ int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) { return evm_protect_xattr(dentry, xattr_name, NULL, 0); }
/** * evm_inode_setxattr - protect the EVM extended attribute * @dentry: pointer to the affected dentry * @xattr_name: pointer to the affected extended attribute name * @xattr_value: pointer to the new extended attribute value * @xattr_value_len: pointer to the new extended attribute value length * * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that * the current value is valid. */ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { return evm_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); }