On Thu, 2026-01-22 at 09:07 +0100, Roberto Sassu wrote: > From: Roberto Sassu <[email protected]> > > Commit 8e5d9f916a96 ("smack: deduplicate xattr setting in > smack_inode_init_security()") introduced xattr_dupval() to simplify setting > the xattrs to be provided by the SMACK LSM on inode creation, in the > smack_inode_init_security(). > > Unfortunately, moving lsm_get_xattr_slot() caused the SMACK64TRANSMUTE > xattr be added in the array of new xattrs before SMACK64. This causes the > HMAC of xattrs calculated by evm_init_hmac() for new files to diverge from > the one calculated by both evm_calc_hmac_or_hash() and evmctl. > > evm_init_hmac() calculates the HMAC of the xattrs of new files based on the > order LSMs provide them, while evm_calc_hmac_or_hash() and evmctl calculate > the HMAC based on an ordered xattrs list. > > Fix the issue by making evm_init_hmac() calculate the HMAC of new files > based on the ordered xattrs list too. > > Fixes: 8e5d9f916a96 ("smack: deduplicate xattr setting in > smack_inode_init_security()") > Signed-off-by: Roberto Sassu <[email protected]>
Thanks, Roberto. The patch is now queued in next-integrity.
