summaryrefslogtreecommitdiffstats
path: root/security/integrity/evm
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-07 13:13:35 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-07 13:13:35 +0000
commit9ea788653ae1a5cea3f3853c5c50b58c98b3cd67 (patch)
treee1bf3b779c1dc9c5337c4442bf720073a3a53415 /security/integrity/evm
parentAdding upstream version 6.9.7. (diff)
downloadlinux-9ea788653ae1a5cea3f3853c5c50b58c98b3cd67.tar.xz
linux-9ea788653ae1a5cea3f3853c5c50b58c98b3cd67.zip
Adding upstream version 6.9.8.upstream/6.9.8
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/integrity/evm')
-rw-r--r--security/integrity/evm/evm_main.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 81dbade5b9..518b3090cd 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -192,7 +192,11 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
return iint->evm_status;
- if (is_unsupported_fs(dentry))
+ /*
+ * On unsupported filesystems without EVM_INIT_X509 enabled, skip
+ * signature verification.
+ */
+ if (!(evm_initialized & EVM_INIT_X509) && is_unsupported_fs(dentry))
return INTEGRITY_UNKNOWN;
/* if status is not PASS, try to check again - against -ENOMEM */
@@ -260,7 +264,8 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
evm_status = INTEGRITY_PASS_IMMUTABLE;
} else if (!IS_RDONLY(inode) &&
!(inode->i_sb->s_readonly_remount) &&
- !IS_IMMUTABLE(inode)) {
+ !IS_IMMUTABLE(inode) &&
+ !is_unsupported_fs(dentry)) {
evm_update_evmxattr(dentry, xattr_name,
xattr_value,
xattr_value_len);
@@ -418,9 +423,6 @@ enum integrity_status evm_verifyxattr(struct dentry *dentry,
if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
return INTEGRITY_UNKNOWN;
- if (is_unsupported_fs(dentry))
- return INTEGRITY_UNKNOWN;
-
return evm_verify_hmac(dentry, xattr_name, xattr_value,
xattr_value_len);
}