diff for duplicates of <1501424988.9230.67.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 7da1758..dd14ce1 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -243,7 +243,7 @@ reason we can't move this comment and test to ima_read_modsig()? > + > + status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value_evm, > + xattr_len_evm, iint); -> + if (appraising_modsig && status = INTEGRITY_FAIL) { +> + if (appraising_modsig && status == INTEGRITY_FAIL) { > + cause = "invalid-HMAC"; > + goto out; @@ -252,8 +252,8 @@ required. This test doesn't prevent status from being set to "missing-HMAC". This test is redundant with the original tests below. > + } else if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN) { -> if ((status = INTEGRITY_NOLABEL) -> || (status = INTEGRITY_NOXATTRS)) +> if ((status == INTEGRITY_NOLABEL) +> || (status == INTEGRITY_NOXATTRS)) > cause = "missing-HMAC"; > @@ -281,6 +319,43 @@ int ima_appraise_measurement(enum ima_hooks func, > status = INTEGRITY_PASS; @@ -334,12 +334,12 @@ Mimi > + xattr_value->type != IMA_MODSIG))) { > if (!ima_fix_xattr(dentry, iint)) > status = INTEGRITY_PASS; -> } else if ((inode->i_size = 0) && +> } else if ((inode->i_size == 0) && > (iint->flags & IMA_NEW_FILE) && > (xattr_value && -> - xattr_value->type = EVM_IMA_XATTR_DIGSIG)) { -> + (xattr_value->type = EVM_IMA_XATTR_DIGSIG || -> + xattr_value->type = IMA_MODSIG))) { +> - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { +> + (xattr_value->type == EVM_IMA_XATTR_DIGSIG || +> + xattr_value->type == IMA_MODSIG))) { > status = INTEGRITY_PASS; > } > integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, @@ -352,14 +352,14 @@ Mimi > > result = ima_protect_xattr(dentry, xattr_name, xattr_value, > @@ -405,8 +483,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, -> if (result = 1) { +> if (result == 1) { > if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) > return -EINVAL; > - ima_reset_appraise_flags(d_backing_inode(dentry), -> - (xvalue->type = EVM_IMA_XATTR_DIGSIG) ? 1 : 0); +> - (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); > + -> + digsig = xvalue->type = EVM_IMA_XATTR_DIGSIG || -> + xvalue->type = IMA_MODSIG; +> + digsig = xvalue->type == EVM_IMA_XATTR_DIGSIG || +> + xvalue->type == IMA_MODSIG; > + ima_reset_appraise_flags(d_backing_inode(dentry), digsig); > result = 0; > } @@ -534,7 +534,7 @@ Mimi > + if (!hdr) > + return; > + -> + if (hdr->type = IMA_MODSIG) { +> + if (hdr->type == IMA_MODSIG) { > + struct modsig_hdr *modsig = (struct modsig_hdr *) hdr; > + > + pkcs7_free_message(modsig->pkcs7_msg); @@ -550,11 +550,11 @@ Mimi > } > > ima_log_string(ab, "appraise_type", args[0].from); -> - if ((strcmp(args[0].from, "imasig")) = 0) -> + if (strcmp(args[0].from, "imasig") = 0) +> - if ((strcmp(args[0].from, "imasig")) == 0) +> + if (strcmp(args[0].from, "imasig") == 0) > entry->flags |= IMA_DIGSIG_REQUIRED; > + else if (ima_hook_supports_modsig(entry->func) && -> + strcmp(args[0].from, "modsig|imasig") = 0) +> + strcmp(args[0].from, "modsig|imasig") == 0) > + entry->flags |= IMA_DIGSIG_REQUIRED > + | IMA_MODSIG_ALLOWED; > else @@ -618,7 +618,7 @@ Mimi > + * The xattr_value for IMA_MODSIG is a runtime structure containing > + * pointers. Get its raw data instead. > + */ -> + if (xattr_value->type = IMA_MODSIG) { +> + if (xattr_value->type == IMA_MODSIG) { > + rc = ima_modsig_serialize_data(xattr_value, &xattr_value, > + &xattr_len); > + if (rc) diff --git a/a/content_digest b/N1/content_digest index 38dac76..06ca9c5 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,7 +2,7 @@ "ref\020170706221753.17380-8-bauerman@linux.vnet.ibm.com\0" "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "Subject\0Re: [PATCH v3 7/7] ima: Support module-style appended signatures for appraisal\0" - "Date\0Sun, 30 Jul 2017 14:29:48 +0000\0" + "Date\0Sun, 30 Jul 2017 10:29:48 -0400\0" "To\0Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>" " linux-security-module@vger.kernel.org\0" "Cc\0linux-ima-devel@lists.sourceforge.net" @@ -268,7 +268,7 @@ "> +\n" "> +\tstatus = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value_evm,\n" "> +\t\t\t\t xattr_len_evm, iint);\n" - "> +\tif (appraising_modsig && status = INTEGRITY_FAIL) {\n" + "> +\tif (appraising_modsig && status == INTEGRITY_FAIL) {\n" "> +\t\tcause = \"invalid-HMAC\";\n" "> +\t\tgoto out;\n" "\n" @@ -277,8 +277,8 @@ "\"missing-HMAC\". \302\240This test is redundant with the original tests below.\n" "\n" "> +\t} else if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN) {\n" - "> \t\tif ((status = INTEGRITY_NOLABEL)\n" - "> \t\t || (status = INTEGRITY_NOXATTRS))\n" + "> \t\tif ((status == INTEGRITY_NOLABEL)\n" + "> \t\t || (status == INTEGRITY_NOXATTRS))\n" "> \t\t\tcause = \"missing-HMAC\";\n" "> @@ -281,6 +319,43 @@ int ima_appraise_measurement(enum ima_hooks func,\n" "> \t\t\tstatus = INTEGRITY_PASS;\n" @@ -359,12 +359,12 @@ "> +\t\t xattr_value->type != IMA_MODSIG))) {\n" "> \t\t\tif (!ima_fix_xattr(dentry, iint))\n" "> \t\t\t\tstatus = INTEGRITY_PASS;\n" - "> \t\t} else if ((inode->i_size = 0) &&\n" + "> \t\t} else if ((inode->i_size == 0) &&\n" "> \t\t\t (iint->flags & IMA_NEW_FILE) &&\n" "> \t\t\t (xattr_value &&\n" - "> -\t\t\t xattr_value->type = EVM_IMA_XATTR_DIGSIG)) {\n" - "> +\t\t\t (xattr_value->type = EVM_IMA_XATTR_DIGSIG ||\n" - "> +\t\t\t xattr_value->type = IMA_MODSIG))) {\n" + "> -\t\t\t xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {\n" + "> +\t\t\t (xattr_value->type == EVM_IMA_XATTR_DIGSIG ||\n" + "> +\t\t\t xattr_value->type == IMA_MODSIG))) {\n" "> \t\t\tstatus = INTEGRITY_PASS;\n" "> \t\t}\n" "> \t\tintegrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,\n" @@ -377,14 +377,14 @@ "> \n" "> \tresult = ima_protect_xattr(dentry, xattr_name, xattr_value,\n" "> @@ -405,8 +483,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,\n" - "> \tif (result = 1) {\n" + "> \tif (result == 1) {\n" "> \t\tif (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))\n" "> \t\t\treturn -EINVAL;\n" "> -\t\tima_reset_appraise_flags(d_backing_inode(dentry),\n" - "> -\t\t\t (xvalue->type = EVM_IMA_XATTR_DIGSIG) ? 1 : 0);\n" + "> -\t\t\t (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);\n" "> +\n" - "> +\t\tdigsig = xvalue->type = EVM_IMA_XATTR_DIGSIG ||\n" - "> +\t\t\t\txvalue->type = IMA_MODSIG;\n" + "> +\t\tdigsig = xvalue->type == EVM_IMA_XATTR_DIGSIG ||\n" + "> +\t\t\t\txvalue->type == IMA_MODSIG;\n" "> +\t\tima_reset_appraise_flags(d_backing_inode(dentry), digsig);\n" "> \t\tresult = 0;\n" "> \t}\n" @@ -559,7 +559,7 @@ "> +\tif (!hdr)\n" "> +\t\treturn;\n" "> +\n" - "> +\tif (hdr->type = IMA_MODSIG) {\n" + "> +\tif (hdr->type == IMA_MODSIG) {\n" "> +\t\tstruct modsig_hdr *modsig = (struct modsig_hdr *) hdr;\n" "> +\n" "> +\t\tpkcs7_free_message(modsig->pkcs7_msg);\n" @@ -575,11 +575,11 @@ "> \t\t\t}\n" "> \n" "> \t\t\tima_log_string(ab, \"appraise_type\", args[0].from);\n" - "> -\t\t\tif ((strcmp(args[0].from, \"imasig\")) = 0)\n" - "> +\t\t\tif (strcmp(args[0].from, \"imasig\") = 0)\n" + "> -\t\t\tif ((strcmp(args[0].from, \"imasig\")) == 0)\n" + "> +\t\t\tif (strcmp(args[0].from, \"imasig\") == 0)\n" "> \t\t\t\tentry->flags |= IMA_DIGSIG_REQUIRED;\n" "> +\t\t\telse if (ima_hook_supports_modsig(entry->func) &&\n" - "> +\t\t\t\t strcmp(args[0].from, \"modsig|imasig\") = 0)\n" + "> +\t\t\t\t strcmp(args[0].from, \"modsig|imasig\") == 0)\n" "> +\t\t\t\tentry->flags |= IMA_DIGSIG_REQUIRED\n" "> +\t\t\t\t\t\t| IMA_MODSIG_ALLOWED;\n" "> \t\t\telse\n" @@ -643,7 +643,7 @@ "> +\t * The xattr_value for IMA_MODSIG is a runtime structure containing\n" "> +\t * pointers. Get its raw data instead.\n" "> +\t */\n" - "> +\tif (xattr_value->type = IMA_MODSIG) {\n" + "> +\tif (xattr_value->type == IMA_MODSIG) {\n" "> +\t\trc = ima_modsig_serialize_data(xattr_value, &xattr_value,\n" "> +\t\t\t\t\t &xattr_len);\n" "> +\t\tif (rc)\n" @@ -680,4 +680,4 @@ "> };\n" > -084a299c9594cf3a6c8fa28fa2cc5cba14a6a1564215846821636eaa9c3f482f +01907e2be7223a32bfb2c5c5e4699f16533799754e3c974688e1ec704d47ff04
diff --git a/a/1.txt b/N2/1.txt index 7da1758..c33f7e4 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -207,7 +207,7 @@ On Thu, 2017-07-06 at 19:17 -0300, Thiago Jung Bauermann wrote: > + WARN_ONCE(true, "%s doesn't support modsig\n", > + func_tokens[func]); -ima _appraise_measurement() is getting kind of long. Is there any +ima _appraise_measurement() is getting kind of long. ?Is there any reason we can't move this comment and test to ima_read_modsig()? > + else if (!ima_read_modsig(buf, size, @@ -243,24 +243,24 @@ reason we can't move this comment and test to ima_read_modsig()? > + > + status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value_evm, > + xattr_len_evm, iint); -> + if (appraising_modsig && status = INTEGRITY_FAIL) { +> + if (appraising_modsig && status == INTEGRITY_FAIL) { > + cause = "invalid-HMAC"; > + goto out; "modsig" is special, because having any security xattrs is not -required. This test doesn't prevent status from being set to -"missing-HMAC". This test is redundant with the original tests below. +required. ?This test doesn't prevent status from being set to +"missing-HMAC". ?This test is redundant with the original tests below. > + } else if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN) { -> if ((status = INTEGRITY_NOLABEL) -> || (status = INTEGRITY_NOXATTRS)) +> if ((status == INTEGRITY_NOLABEL) +> || (status == INTEGRITY_NOXATTRS)) > cause = "missing-HMAC"; > @@ -281,6 +319,43 @@ int ima_appraise_measurement(enum ima_hooks func, > status = INTEGRITY_PASS; > } Calling evm_verifyxattr() with the IMA xattr value prevents EVM from -having to re-read the IMA xattr, but isn't necessary. On modsig +having to re-read the IMA xattr, but isn't necessary.??On modsig signature verification failure, calling evm_verifyxattr() a second time isn't necessary. @@ -296,10 +296,10 @@ based on the hash algorithm as defined in the IMA xattr. Including the file hash and signature in the measurement list allows the attestation server, with just a public key, to verify the file -signature against the file hash. No need for a white list. +signature against the file hash. ?No need for a white list. ima_modsig_verify() must calculate the file hash in order to verify -the file signature. This file hash value somehow needs to be returned +the file signature. ?This file hash value somehow needs to be returned in order for it to be included in the measurement list. > + /* @@ -316,8 +316,8 @@ in order for it to be included in the measurement list. > + filename, xattr_value_, > + xattr_len_, opened); -Most of the code before "switch" needs to be done only once. Is -recursion necessary? Or can we just retry the "switch" using the IMA +Most of the code before "switch" needs to be done only once. ?Is +recursion necessary? ?Or can we just retry the "switch" using the IMA xattr, assuming there is an IMA xattr? Mimi @@ -334,12 +334,12 @@ Mimi > + xattr_value->type != IMA_MODSIG))) { > if (!ima_fix_xattr(dentry, iint)) > status = INTEGRITY_PASS; -> } else if ((inode->i_size = 0) && +> } else if ((inode->i_size == 0) && > (iint->flags & IMA_NEW_FILE) && > (xattr_value && -> - xattr_value->type = EVM_IMA_XATTR_DIGSIG)) { -> + (xattr_value->type = EVM_IMA_XATTR_DIGSIG || -> + xattr_value->type = IMA_MODSIG))) { +> - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { +> + (xattr_value->type == EVM_IMA_XATTR_DIGSIG || +> + xattr_value->type == IMA_MODSIG))) { > status = INTEGRITY_PASS; > } > integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, @@ -352,14 +352,14 @@ Mimi > > result = ima_protect_xattr(dentry, xattr_name, xattr_value, > @@ -405,8 +483,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, -> if (result = 1) { +> if (result == 1) { > if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) > return -EINVAL; > - ima_reset_appraise_flags(d_backing_inode(dentry), -> - (xvalue->type = EVM_IMA_XATTR_DIGSIG) ? 1 : 0); +> - (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); > + -> + digsig = xvalue->type = EVM_IMA_XATTR_DIGSIG || -> + xvalue->type = IMA_MODSIG; +> + digsig = xvalue->type == EVM_IMA_XATTR_DIGSIG || +> + xvalue->type == IMA_MODSIG; > + ima_reset_appraise_flags(d_backing_inode(dentry), digsig); > result = 0; > } @@ -534,7 +534,7 @@ Mimi > + if (!hdr) > + return; > + -> + if (hdr->type = IMA_MODSIG) { +> + if (hdr->type == IMA_MODSIG) { > + struct modsig_hdr *modsig = (struct modsig_hdr *) hdr; > + > + pkcs7_free_message(modsig->pkcs7_msg); @@ -550,11 +550,11 @@ Mimi > } > > ima_log_string(ab, "appraise_type", args[0].from); -> - if ((strcmp(args[0].from, "imasig")) = 0) -> + if (strcmp(args[0].from, "imasig") = 0) +> - if ((strcmp(args[0].from, "imasig")) == 0) +> + if (strcmp(args[0].from, "imasig") == 0) > entry->flags |= IMA_DIGSIG_REQUIRED; > + else if (ima_hook_supports_modsig(entry->func) && -> + strcmp(args[0].from, "modsig|imasig") = 0) +> + strcmp(args[0].from, "modsig|imasig") == 0) > + entry->flags |= IMA_DIGSIG_REQUIRED > + | IMA_MODSIG_ALLOWED; > else @@ -618,7 +618,7 @@ Mimi > + * The xattr_value for IMA_MODSIG is a runtime structure containing > + * pointers. Get its raw data instead. > + */ -> + if (xattr_value->type = IMA_MODSIG) { +> + if (xattr_value->type == IMA_MODSIG) { > + rc = ima_modsig_serialize_data(xattr_value, &xattr_value, > + &xattr_len); > + if (rc) @@ -653,4 +653,9 @@ Mimi > + IMA_MODSIG, > IMA_XATTR_LAST > }; -> +> + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N2/content_digest index 38dac76..fb7507c 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -1,26 +1,9 @@ "ref\020170706221753.17380-1-bauerman@linux.vnet.ibm.com\0" "ref\020170706221753.17380-8-bauerman@linux.vnet.ibm.com\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [PATCH v3 7/7] ima: Support module-style appended signatures for appraisal\0" - "Date\0Sun, 30 Jul 2017 14:29:48 +0000\0" - "To\0Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>" - " linux-security-module@vger.kernel.org\0" - "Cc\0linux-ima-devel@lists.sourceforge.net" - keyrings@vger.kernel.org - linux-crypto@vger.kernel.org - linuxppc-dev@lists.ozlabs.org - linux-kernel@vger.kernel.org - Dmitry Kasatkin <dmitry.kasatkin@gmail.com> - James Morris <james.l.morris@oracle.com> - Serge E. Hallyn <serge@hallyn.com> - David Howells <dhowells@redhat.com> - David Woodhouse <dwmw2@infradead.org> - Jessica Yu <jeyu@redhat.com> - Rusty Russell <rusty@rustcorp.com.au> - Herbert Xu <herbert@gondor.apana.org.au> - David S. Miller <davem@davemloft.net> - AKASHI - " Takahiro <takahiro.akashi@linaro.org>\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH v3 7/7] ima: Support module-style appended signatures for appraisal\0" + "Date\0Sun, 30 Jul 2017 10:29:48 -0400\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Thu, 2017-07-06 at 19:17 -0300, Thiago Jung Bauermann wrote:\n" @@ -232,7 +215,7 @@ "> +\t\t\tWARN_ONCE(true, \"%s doesn't support modsig\\n\",\n" "> +\t\t\t\t func_tokens[func]);\n" "\n" - "ima _appraise_measurement() is getting kind of long. \302\240Is there any\n" + "ima _appraise_measurement() is getting kind of long. ?Is there any\n" "reason we can't move this comment and test to ima_read_modsig()?\n" "\n" "> +\t\telse if (!ima_read_modsig(buf, size,\n" @@ -268,24 +251,24 @@ "> +\n" "> +\tstatus = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value_evm,\n" "> +\t\t\t\t xattr_len_evm, iint);\n" - "> +\tif (appraising_modsig && status = INTEGRITY_FAIL) {\n" + "> +\tif (appraising_modsig && status == INTEGRITY_FAIL) {\n" "> +\t\tcause = \"invalid-HMAC\";\n" "> +\t\tgoto out;\n" "\n" "\"modsig\" is special, because having any security xattrs is not\n" - "required. \302\240This test doesn't prevent status from being set to\n" - "\"missing-HMAC\". \302\240This test is redundant with the original tests below.\n" + "required. ?This test doesn't prevent status from being set to\n" + "\"missing-HMAC\". ?This test is redundant with the original tests below.\n" "\n" "> +\t} else if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN) {\n" - "> \t\tif ((status = INTEGRITY_NOLABEL)\n" - "> \t\t || (status = INTEGRITY_NOXATTRS))\n" + "> \t\tif ((status == INTEGRITY_NOLABEL)\n" + "> \t\t || (status == INTEGRITY_NOXATTRS))\n" "> \t\t\tcause = \"missing-HMAC\";\n" "> @@ -281,6 +319,43 @@ int ima_appraise_measurement(enum ima_hooks func,\n" "> \t\t\tstatus = INTEGRITY_PASS;\n" "> \t\t}\n" "\n" "Calling evm_verifyxattr() with the IMA xattr value prevents EVM from\n" - "having to re-read the IMA xattr, but isn't necessary.\302\240\302\240On modsig\n" + "having to re-read the IMA xattr, but isn't necessary.??On modsig\n" "signature verification failure, calling evm_verifyxattr() a second\n" "time isn't necessary.\n" "\n" @@ -321,10 +304,10 @@ "\n" "Including the file hash and signature in the measurement list allows\n" "the attestation server, with just a public key, to verify the file\n" - "signature against the file hash. \302\240No need for a white list.\n" + "signature against the file hash. ?No need for a white list.\n" "\n" "ima_modsig_verify() must calculate the file hash in order to verify\n" - "the file signature. \302\240This file hash value somehow needs to be returned\n" + "the file signature. ?This file hash value somehow needs to be returned\n" "in order for it to be included in the measurement list.\n" "\n" "> +\t\t/*\n" @@ -341,8 +324,8 @@ "> +\t\t\t\t\t\tfilename, xattr_value_,\n" "> +\t\t\t\t\t\txattr_len_, opened);\n" "\n" - "Most of the code before \"switch\" needs to be done only once. \302\240Is\n" - "recursion necessary? \302\240Or can we just retry the \"switch\" using the IMA\n" + "Most of the code before \"switch\" needs to be done only once. ?Is\n" + "recursion necessary? ?Or can we just retry the \"switch\" using the IMA\n" "xattr, assuming there is an IMA xattr?\n" "\n" "Mimi\n" @@ -359,12 +342,12 @@ "> +\t\t xattr_value->type != IMA_MODSIG))) {\n" "> \t\t\tif (!ima_fix_xattr(dentry, iint))\n" "> \t\t\t\tstatus = INTEGRITY_PASS;\n" - "> \t\t} else if ((inode->i_size = 0) &&\n" + "> \t\t} else if ((inode->i_size == 0) &&\n" "> \t\t\t (iint->flags & IMA_NEW_FILE) &&\n" "> \t\t\t (xattr_value &&\n" - "> -\t\t\t xattr_value->type = EVM_IMA_XATTR_DIGSIG)) {\n" - "> +\t\t\t (xattr_value->type = EVM_IMA_XATTR_DIGSIG ||\n" - "> +\t\t\t xattr_value->type = IMA_MODSIG))) {\n" + "> -\t\t\t xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {\n" + "> +\t\t\t (xattr_value->type == EVM_IMA_XATTR_DIGSIG ||\n" + "> +\t\t\t xattr_value->type == IMA_MODSIG))) {\n" "> \t\t\tstatus = INTEGRITY_PASS;\n" "> \t\t}\n" "> \t\tintegrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,\n" @@ -377,14 +360,14 @@ "> \n" "> \tresult = ima_protect_xattr(dentry, xattr_name, xattr_value,\n" "> @@ -405,8 +483,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,\n" - "> \tif (result = 1) {\n" + "> \tif (result == 1) {\n" "> \t\tif (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))\n" "> \t\t\treturn -EINVAL;\n" "> -\t\tima_reset_appraise_flags(d_backing_inode(dentry),\n" - "> -\t\t\t (xvalue->type = EVM_IMA_XATTR_DIGSIG) ? 1 : 0);\n" + "> -\t\t\t (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);\n" "> +\n" - "> +\t\tdigsig = xvalue->type = EVM_IMA_XATTR_DIGSIG ||\n" - "> +\t\t\t\txvalue->type = IMA_MODSIG;\n" + "> +\t\tdigsig = xvalue->type == EVM_IMA_XATTR_DIGSIG ||\n" + "> +\t\t\t\txvalue->type == IMA_MODSIG;\n" "> +\t\tima_reset_appraise_flags(d_backing_inode(dentry), digsig);\n" "> \t\tresult = 0;\n" "> \t}\n" @@ -559,7 +542,7 @@ "> +\tif (!hdr)\n" "> +\t\treturn;\n" "> +\n" - "> +\tif (hdr->type = IMA_MODSIG) {\n" + "> +\tif (hdr->type == IMA_MODSIG) {\n" "> +\t\tstruct modsig_hdr *modsig = (struct modsig_hdr *) hdr;\n" "> +\n" "> +\t\tpkcs7_free_message(modsig->pkcs7_msg);\n" @@ -575,11 +558,11 @@ "> \t\t\t}\n" "> \n" "> \t\t\tima_log_string(ab, \"appraise_type\", args[0].from);\n" - "> -\t\t\tif ((strcmp(args[0].from, \"imasig\")) = 0)\n" - "> +\t\t\tif (strcmp(args[0].from, \"imasig\") = 0)\n" + "> -\t\t\tif ((strcmp(args[0].from, \"imasig\")) == 0)\n" + "> +\t\t\tif (strcmp(args[0].from, \"imasig\") == 0)\n" "> \t\t\t\tentry->flags |= IMA_DIGSIG_REQUIRED;\n" "> +\t\t\telse if (ima_hook_supports_modsig(entry->func) &&\n" - "> +\t\t\t\t strcmp(args[0].from, \"modsig|imasig\") = 0)\n" + "> +\t\t\t\t strcmp(args[0].from, \"modsig|imasig\") == 0)\n" "> +\t\t\t\tentry->flags |= IMA_DIGSIG_REQUIRED\n" "> +\t\t\t\t\t\t| IMA_MODSIG_ALLOWED;\n" "> \t\t\telse\n" @@ -643,7 +626,7 @@ "> +\t * The xattr_value for IMA_MODSIG is a runtime structure containing\n" "> +\t * pointers. Get its raw data instead.\n" "> +\t */\n" - "> +\tif (xattr_value->type = IMA_MODSIG) {\n" + "> +\tif (xattr_value->type == IMA_MODSIG) {\n" "> +\t\trc = ima_modsig_serialize_data(xattr_value, &xattr_value,\n" "> +\t\t\t\t\t &xattr_len);\n" "> +\t\tif (rc)\n" @@ -678,6 +661,11 @@ "> +\tIMA_MODSIG,\n" "> \tIMA_XATTR_LAST\n" "> };\n" - > + "> \n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -084a299c9594cf3a6c8fa28fa2cc5cba14a6a1564215846821636eaa9c3f482f +37dff5d59b92b6619b451631bbc9b68b3a25e308cc741cade2004afd13659f0d
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.