diff for duplicates of <1522069003.3541.64.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 2b2fc8a..857267e 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -24,9 +24,9 @@ Yes, this sounds right. > > static inline bool is_ima_sig(const struct evm_ima_xattr_data *xattr_value) > { -> - return xattr_value && xattr_value->type = EVM_IMA_XATTR_DIGSIG; -> + return xattr_value && (xattr_value->type = EVM_IMA_XATTR_DIGSIG || -> + xattr_value->type = IMA_MODSIG); +> - return xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG; +> + return xattr_value && (xattr_value->type == EVM_IMA_XATTR_DIGSIG || +> + xattr_value->type == IMA_MODSIG); > } > > /* @@ -88,7 +88,7 @@ Yes, this sounds right. > > - if (!(inode->i_opflags & IOP_XATTR)) > + /* If not appraising a modsig, we need an xattr. */ -> + if ((xattr_value = NULL || xattr_value->type != IMA_MODSIG) && +> + if ((xattr_value == NULL || xattr_value->type != IMA_MODSIG) && > + !(inode->i_opflags & IOP_XATTR)) > return INTEGRITY_UNKNOWN; > @@ -102,7 +102,7 @@ Yes, this sounds right. > + * If it's a modsig, we don't have the xattr contents to pass to > + * evm_verifyxattr(). > + */ -> + if (xattr_value->type = IMA_MODSIG) { +> + if (xattr_value->type == IMA_MODSIG) { > + xattr_contents = NULL; > + xattr_contents_len = 0; > + } else { @@ -119,7 +119,7 @@ Yes, this sounds right. > break; > case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ > + /* It's fine not to have xattrs when using a modsig. */ -> + if (xattr_value->type = IMA_MODSIG) +> + if (xattr_value->type == IMA_MODSIG) > + break; > case INTEGRITY_NOLABEL: /* No security.evm xattr. */ > cause = "missing-HMAC"; @@ -134,7 +134,7 @@ Yes, this sounds right. > - (const char *)xattr_value, rc, > - iint->ima_hash->digest, > - iint->ima_hash->length); -> + if (xattr_value->type = EVM_IMA_XATTR_DIGSIG) +> + if (xattr_value->type == EVM_IMA_XATTR_DIGSIG) > + rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, > + (const char *)xattr_value, > + rc, iint->ima_hash->digest, @@ -142,7 +142,7 @@ Yes, this sounds right. > + else > + rc = ima_modsig_verify(INTEGRITY_KEYRING_IMA, > + xattr_value); -> if (rc = -EOPNOTSUPP) { +> if (rc == -EOPNOTSUPP) { > status = INTEGRITY_UNKNOWN; > } else if (rc) { > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c @@ -180,7 +180,7 @@ Yes, this sounds right. > + } > > - hash_algo = ima_get_hash_algo(xattr_value, xattr_len); -> + if (hash_algo = HASH_ALGO__LAST) +> + if (hash_algo == HASH_ALGO__LAST) > + hash_algo = ima_get_hash_algo(xattr_value, xattr_len); Previous versions needed to calculate the file hash based on the @@ -203,9 +203,4 @@ Mimi > out: > if (pathbuf) > __putname(pathbuf); -> - --- -To unsubscribe from this list: send the line "unsubscribe keyrings" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html +> diff --git a/a/content_digest b/N1/content_digest index 05067d2..f7cd835 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,7 +2,7 @@ "ref\020180316203837.10174-12-bauerman@linux.vnet.ibm.com\0" "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "Subject\0Re: [PATCH v6 11/12] ima: Implement support for module-style appended signatures\0" - "Date\0Mon, 26 Mar 2018 12:56:43 +0000\0" + "Date\0Mon, 26 Mar 2018 08:56:43 -0400\0" "To\0Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>" " linux-integrity@vger.kernel.org\0" "Cc\0linux-security-module@vger.kernel.org" @@ -48,9 +48,9 @@ "> \n" "> static inline bool is_ima_sig(const struct evm_ima_xattr_data *xattr_value)\n" "> {\n" - "> -\treturn xattr_value && xattr_value->type = EVM_IMA_XATTR_DIGSIG;\n" - "> +\treturn xattr_value && (xattr_value->type = EVM_IMA_XATTR_DIGSIG ||\n" - "> +\t\t\t xattr_value->type = IMA_MODSIG);\n" + "> -\treturn xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG;\n" + "> +\treturn xattr_value && (xattr_value->type == EVM_IMA_XATTR_DIGSIG ||\n" + "> +\t\t\t xattr_value->type == IMA_MODSIG);\n" "> }\n" "> \n" "> /*\n" @@ -112,7 +112,7 @@ "> \n" "> -\tif (!(inode->i_opflags & IOP_XATTR))\n" "> +\t/* If not appraising a modsig, we need an xattr. */\n" - "> +\tif ((xattr_value = NULL || xattr_value->type != IMA_MODSIG) &&\n" + "> +\tif ((xattr_value == NULL || xattr_value->type != IMA_MODSIG) &&\n" "> +\t !(inode->i_opflags & IOP_XATTR))\n" "> \t\treturn INTEGRITY_UNKNOWN;\n" "> \n" @@ -126,7 +126,7 @@ "> +\t * If it's a modsig, we don't have the xattr contents to pass to\n" "> +\t * evm_verifyxattr().\n" "> +\t */\n" - "> +\tif (xattr_value->type = IMA_MODSIG) {\n" + "> +\tif (xattr_value->type == IMA_MODSIG) {\n" "> +\t\txattr_contents = NULL;\n" "> +\t\txattr_contents_len = 0;\n" "> +\t} else {\n" @@ -143,7 +143,7 @@ "> \t\tbreak;\n" "> \tcase INTEGRITY_NOXATTRS:\t/* No EVM protected xattrs. */\n" "> +\t\t/* It's fine not to have xattrs when using a modsig. */\n" - "> +\t\tif (xattr_value->type = IMA_MODSIG)\n" + "> +\t\tif (xattr_value->type == IMA_MODSIG)\n" "> +\t\t\tbreak;\n" "> \tcase INTEGRITY_NOLABEL:\t\t/* No security.evm xattr. */\n" "> \t\tcause = \"missing-HMAC\";\n" @@ -158,7 +158,7 @@ "> -\t\t\t\t\t (const char *)xattr_value, rc,\n" "> -\t\t\t\t\t iint->ima_hash->digest,\n" "> -\t\t\t\t\t iint->ima_hash->length);\n" - "> +\t\tif (xattr_value->type = EVM_IMA_XATTR_DIGSIG)\n" + "> +\t\tif (xattr_value->type == EVM_IMA_XATTR_DIGSIG)\n" "> +\t\t\trc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,\n" "> +\t\t\t\t\t\t (const char *)xattr_value,\n" "> +\t\t\t\t\t\t rc, iint->ima_hash->digest,\n" @@ -166,7 +166,7 @@ "> +\t\telse\n" "> +\t\t\trc = ima_modsig_verify(INTEGRITY_KEYRING_IMA,\n" "> +\t\t\t\t\t xattr_value);\n" - "> \t\tif (rc = -EOPNOTSUPP) {\n" + "> \t\tif (rc == -EOPNOTSUPP) {\n" "> \t\t\tstatus = INTEGRITY_UNKNOWN;\n" "> \t\t} else if (rc) {\n" "> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c\n" @@ -204,7 +204,7 @@ "> +\t}\n" "> \n" "> -\thash_algo = ima_get_hash_algo(xattr_value, xattr_len);\n" - "> +\tif (hash_algo = HASH_ALGO__LAST)\n" + "> +\tif (hash_algo == HASH_ALGO__LAST)\n" "> +\t\thash_algo = ima_get_hash_algo(xattr_value, xattr_len);\n" "\n" "Previous versions needed to calculate the file hash based on the\n" @@ -227,11 +227,6 @@ "> out:\n" "> \tif (pathbuf)\n" "> \t\t__putname(pathbuf);\n" - "> \n" - "\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe keyrings\" in\n" - "the body of a message to majordomo@vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + > -5eec3e98e0a0e36e0363754a43b63d9f98d4ca65419fd394a0de7a45f6fee03d +4c4e98e2ed263ec00aab6a4e75092d81b54b6f1271426ed168c552b77a1c3dad
diff --git a/a/1.txt b/N2/1.txt index 2b2fc8a..4e7c374 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -24,9 +24,9 @@ Yes, this sounds right. > > static inline bool is_ima_sig(const struct evm_ima_xattr_data *xattr_value) > { -> - return xattr_value && xattr_value->type = EVM_IMA_XATTR_DIGSIG; -> + return xattr_value && (xattr_value->type = EVM_IMA_XATTR_DIGSIG || -> + xattr_value->type = IMA_MODSIG); +> - return xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG; +> + return xattr_value && (xattr_value->type == EVM_IMA_XATTR_DIGSIG || +> + xattr_value->type == IMA_MODSIG); > } > > /* @@ -88,7 +88,7 @@ Yes, this sounds right. > > - if (!(inode->i_opflags & IOP_XATTR)) > + /* If not appraising a modsig, we need an xattr. */ -> + if ((xattr_value = NULL || xattr_value->type != IMA_MODSIG) && +> + if ((xattr_value == NULL || xattr_value->type != IMA_MODSIG) && > + !(inode->i_opflags & IOP_XATTR)) > return INTEGRITY_UNKNOWN; > @@ -102,7 +102,7 @@ Yes, this sounds right. > + * If it's a modsig, we don't have the xattr contents to pass to > + * evm_verifyxattr(). > + */ -> + if (xattr_value->type = IMA_MODSIG) { +> + if (xattr_value->type == IMA_MODSIG) { > + xattr_contents = NULL; > + xattr_contents_len = 0; > + } else { @@ -119,7 +119,7 @@ Yes, this sounds right. > break; > case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ > + /* It's fine not to have xattrs when using a modsig. */ -> + if (xattr_value->type = IMA_MODSIG) +> + if (xattr_value->type == IMA_MODSIG) > + break; > case INTEGRITY_NOLABEL: /* No security.evm xattr. */ > cause = "missing-HMAC"; @@ -134,7 +134,7 @@ Yes, this sounds right. > - (const char *)xattr_value, rc, > - iint->ima_hash->digest, > - iint->ima_hash->length); -> + if (xattr_value->type = EVM_IMA_XATTR_DIGSIG) +> + if (xattr_value->type == EVM_IMA_XATTR_DIGSIG) > + rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, > + (const char *)xattr_value, > + rc, iint->ima_hash->digest, @@ -142,7 +142,7 @@ Yes, this sounds right. > + else > + rc = ima_modsig_verify(INTEGRITY_KEYRING_IMA, > + xattr_value); -> if (rc = -EOPNOTSUPP) { +> if (rc == -EOPNOTSUPP) { > status = INTEGRITY_UNKNOWN; > } else if (rc) { > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c @@ -180,11 +180,11 @@ Yes, this sounds right. > + } > > - hash_algo = ima_get_hash_algo(xattr_value, xattr_len); -> + if (hash_algo = HASH_ALGO__LAST) +> + if (hash_algo == HASH_ALGO__LAST) > + hash_algo = ima_get_hash_algo(xattr_value, xattr_len); Previous versions needed to calculate the file hash based on the -modsig hash algorithm. With the introduction of the digest signature +modsig hash algorithm. With the introduction of the digest signature template field ('d-sig'), the file digest field ('d-ng') is always calculated based on either the xattr hash algorithm, if one exists, or the IMA default hash algorithm. @@ -203,9 +203,4 @@ Mimi > out: > if (pathbuf) > __putname(pathbuf); -> - --- -To unsubscribe from this list: send the line "unsubscribe keyrings" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html +> diff --git a/a/content_digest b/N2/content_digest index 05067d2..8064c63 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -2,7 +2,7 @@ "ref\020180316203837.10174-12-bauerman@linux.vnet.ibm.com\0" "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "Subject\0Re: [PATCH v6 11/12] ima: Implement support for module-style appended signatures\0" - "Date\0Mon, 26 Mar 2018 12:56:43 +0000\0" + "Date\0Mon, 26 Mar 2018 08:56:43 -0400\0" "To\0Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>" " linux-integrity@vger.kernel.org\0" "Cc\0linux-security-module@vger.kernel.org" @@ -48,9 +48,9 @@ "> \n" "> static inline bool is_ima_sig(const struct evm_ima_xattr_data *xattr_value)\n" "> {\n" - "> -\treturn xattr_value && xattr_value->type = EVM_IMA_XATTR_DIGSIG;\n" - "> +\treturn xattr_value && (xattr_value->type = EVM_IMA_XATTR_DIGSIG ||\n" - "> +\t\t\t xattr_value->type = IMA_MODSIG);\n" + "> -\treturn xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG;\n" + "> +\treturn xattr_value && (xattr_value->type == EVM_IMA_XATTR_DIGSIG ||\n" + "> +\t\t\t xattr_value->type == IMA_MODSIG);\n" "> }\n" "> \n" "> /*\n" @@ -112,7 +112,7 @@ "> \n" "> -\tif (!(inode->i_opflags & IOP_XATTR))\n" "> +\t/* If not appraising a modsig, we need an xattr. */\n" - "> +\tif ((xattr_value = NULL || xattr_value->type != IMA_MODSIG) &&\n" + "> +\tif ((xattr_value == NULL || xattr_value->type != IMA_MODSIG) &&\n" "> +\t !(inode->i_opflags & IOP_XATTR))\n" "> \t\treturn INTEGRITY_UNKNOWN;\n" "> \n" @@ -126,7 +126,7 @@ "> +\t * If it's a modsig, we don't have the xattr contents to pass to\n" "> +\t * evm_verifyxattr().\n" "> +\t */\n" - "> +\tif (xattr_value->type = IMA_MODSIG) {\n" + "> +\tif (xattr_value->type == IMA_MODSIG) {\n" "> +\t\txattr_contents = NULL;\n" "> +\t\txattr_contents_len = 0;\n" "> +\t} else {\n" @@ -143,7 +143,7 @@ "> \t\tbreak;\n" "> \tcase INTEGRITY_NOXATTRS:\t/* No EVM protected xattrs. */\n" "> +\t\t/* It's fine not to have xattrs when using a modsig. */\n" - "> +\t\tif (xattr_value->type = IMA_MODSIG)\n" + "> +\t\tif (xattr_value->type == IMA_MODSIG)\n" "> +\t\t\tbreak;\n" "> \tcase INTEGRITY_NOLABEL:\t\t/* No security.evm xattr. */\n" "> \t\tcause = \"missing-HMAC\";\n" @@ -158,7 +158,7 @@ "> -\t\t\t\t\t (const char *)xattr_value, rc,\n" "> -\t\t\t\t\t iint->ima_hash->digest,\n" "> -\t\t\t\t\t iint->ima_hash->length);\n" - "> +\t\tif (xattr_value->type = EVM_IMA_XATTR_DIGSIG)\n" + "> +\t\tif (xattr_value->type == EVM_IMA_XATTR_DIGSIG)\n" "> +\t\t\trc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,\n" "> +\t\t\t\t\t\t (const char *)xattr_value,\n" "> +\t\t\t\t\t\t rc, iint->ima_hash->digest,\n" @@ -166,7 +166,7 @@ "> +\t\telse\n" "> +\t\t\trc = ima_modsig_verify(INTEGRITY_KEYRING_IMA,\n" "> +\t\t\t\t\t xattr_value);\n" - "> \t\tif (rc = -EOPNOTSUPP) {\n" + "> \t\tif (rc == -EOPNOTSUPP) {\n" "> \t\t\tstatus = INTEGRITY_UNKNOWN;\n" "> \t\t} else if (rc) {\n" "> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c\n" @@ -204,11 +204,11 @@ "> +\t}\n" "> \n" "> -\thash_algo = ima_get_hash_algo(xattr_value, xattr_len);\n" - "> +\tif (hash_algo = HASH_ALGO__LAST)\n" + "> +\tif (hash_algo == HASH_ALGO__LAST)\n" "> +\t\thash_algo = ima_get_hash_algo(xattr_value, xattr_len);\n" "\n" "Previous versions needed to calculate the file hash based on the\n" - "modsig hash algorithm.\302\240\302\240With the introduction of the digest signature\n" + "modsig hash algorithm. With the introduction of the digest signature\n" "template field ('d-sig'), the file digest field ('d-ng') is always\n" "calculated based on either the xattr hash algorithm, if one exists, or\n" "the IMA default hash algorithm.\n" @@ -227,11 +227,6 @@ "> out:\n" "> \tif (pathbuf)\n" "> \t\t__putname(pathbuf);\n" - "> \n" - "\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe keyrings\" in\n" - "the body of a message to majordomo@vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + > -5eec3e98e0a0e36e0363754a43b63d9f98d4ca65419fd394a0de7a45f6fee03d +78fae91f4cfb2b3e0f9121ef482eb18ddaea6e2c6f31f2d883e02264b94ceb1d
diff --git a/a/1.txt b/N3/1.txt index 2b2fc8a..acb588f 100644 --- a/a/1.txt +++ b/N3/1.txt @@ -24,9 +24,9 @@ Yes, this sounds right. > > static inline bool is_ima_sig(const struct evm_ima_xattr_data *xattr_value) > { -> - return xattr_value && xattr_value->type = EVM_IMA_XATTR_DIGSIG; -> + return xattr_value && (xattr_value->type = EVM_IMA_XATTR_DIGSIG || -> + xattr_value->type = IMA_MODSIG); +> - return xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG; +> + return xattr_value && (xattr_value->type == EVM_IMA_XATTR_DIGSIG || +> + xattr_value->type == IMA_MODSIG); > } > > /* @@ -88,7 +88,7 @@ Yes, this sounds right. > > - if (!(inode->i_opflags & IOP_XATTR)) > + /* If not appraising a modsig, we need an xattr. */ -> + if ((xattr_value = NULL || xattr_value->type != IMA_MODSIG) && +> + if ((xattr_value == NULL || xattr_value->type != IMA_MODSIG) && > + !(inode->i_opflags & IOP_XATTR)) > return INTEGRITY_UNKNOWN; > @@ -102,7 +102,7 @@ Yes, this sounds right. > + * If it's a modsig, we don't have the xattr contents to pass to > + * evm_verifyxattr(). > + */ -> + if (xattr_value->type = IMA_MODSIG) { +> + if (xattr_value->type == IMA_MODSIG) { > + xattr_contents = NULL; > + xattr_contents_len = 0; > + } else { @@ -119,7 +119,7 @@ Yes, this sounds right. > break; > case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ > + /* It's fine not to have xattrs when using a modsig. */ -> + if (xattr_value->type = IMA_MODSIG) +> + if (xattr_value->type == IMA_MODSIG) > + break; > case INTEGRITY_NOLABEL: /* No security.evm xattr. */ > cause = "missing-HMAC"; @@ -134,7 +134,7 @@ Yes, this sounds right. > - (const char *)xattr_value, rc, > - iint->ima_hash->digest, > - iint->ima_hash->length); -> + if (xattr_value->type = EVM_IMA_XATTR_DIGSIG) +> + if (xattr_value->type == EVM_IMA_XATTR_DIGSIG) > + rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, > + (const char *)xattr_value, > + rc, iint->ima_hash->digest, @@ -142,7 +142,7 @@ Yes, this sounds right. > + else > + rc = ima_modsig_verify(INTEGRITY_KEYRING_IMA, > + xattr_value); -> if (rc = -EOPNOTSUPP) { +> if (rc == -EOPNOTSUPP) { > status = INTEGRITY_UNKNOWN; > } else if (rc) { > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c @@ -180,11 +180,11 @@ Yes, this sounds right. > + } > > - hash_algo = ima_get_hash_algo(xattr_value, xattr_len); -> + if (hash_algo = HASH_ALGO__LAST) +> + if (hash_algo == HASH_ALGO__LAST) > + hash_algo = ima_get_hash_algo(xattr_value, xattr_len); Previous versions needed to calculate the file hash based on the -modsig hash algorithm. With the introduction of the digest signature +modsig hash algorithm.??With the introduction of the digest signature template field ('d-sig'), the file digest field ('d-ng') is always calculated based on either the xattr hash algorithm, if one exists, or the IMA default hash algorithm. @@ -206,6 +206,6 @@ Mimi > -- -To unsubscribe from this list: send the line "unsubscribe keyrings" in -the body of a message to majordomo@vger.kernel.org +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N3/content_digest index 05067d2..41f1c33 100644 --- a/a/content_digest +++ b/N3/content_digest @@ -1,25 +1,9 @@ "ref\020180316203837.10174-1-bauerman@linux.vnet.ibm.com\0" "ref\020180316203837.10174-12-bauerman@linux.vnet.ibm.com\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [PATCH v6 11/12] ima: Implement support for module-style appended signatures\0" - "Date\0Mon, 26 Mar 2018 12:56:43 +0000\0" - "To\0Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>" - " linux-integrity@vger.kernel.org\0" - "Cc\0linux-security-module@vger.kernel.org" - keyrings@vger.kernel.org - linux-crypto@vger.kernel.org - linuxppc-dev@lists.ozlabs.org - linux-kernel@vger.kernel.org - Dmitry Kasatkin <dmitry.kasatkin@gmail.com> - James Morris <jmorris@namei.org> - Serge E. Hallyn <serge@hallyn.com> - David Howells <dhowells@redhat.com> - David Woodhouse <dwmw2@infradead.org> - Jessica Yu <jeyu@kernel.org> - Herbert Xu <herbert@gondor.apana.org.au> - David S. Miller <davem@davemloft.net> - AKASHI - " Takahiro <takahiro.akashi@linaro.org>\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH v6 11/12] ima: Implement support for module-style appended signatures\0" + "Date\0Mon, 26 Mar 2018 08:56:43 -0400\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:\n" @@ -48,9 +32,9 @@ "> \n" "> static inline bool is_ima_sig(const struct evm_ima_xattr_data *xattr_value)\n" "> {\n" - "> -\treturn xattr_value && xattr_value->type = EVM_IMA_XATTR_DIGSIG;\n" - "> +\treturn xattr_value && (xattr_value->type = EVM_IMA_XATTR_DIGSIG ||\n" - "> +\t\t\t xattr_value->type = IMA_MODSIG);\n" + "> -\treturn xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG;\n" + "> +\treturn xattr_value && (xattr_value->type == EVM_IMA_XATTR_DIGSIG ||\n" + "> +\t\t\t xattr_value->type == IMA_MODSIG);\n" "> }\n" "> \n" "> /*\n" @@ -112,7 +96,7 @@ "> \n" "> -\tif (!(inode->i_opflags & IOP_XATTR))\n" "> +\t/* If not appraising a modsig, we need an xattr. */\n" - "> +\tif ((xattr_value = NULL || xattr_value->type != IMA_MODSIG) &&\n" + "> +\tif ((xattr_value == NULL || xattr_value->type != IMA_MODSIG) &&\n" "> +\t !(inode->i_opflags & IOP_XATTR))\n" "> \t\treturn INTEGRITY_UNKNOWN;\n" "> \n" @@ -126,7 +110,7 @@ "> +\t * If it's a modsig, we don't have the xattr contents to pass to\n" "> +\t * evm_verifyxattr().\n" "> +\t */\n" - "> +\tif (xattr_value->type = IMA_MODSIG) {\n" + "> +\tif (xattr_value->type == IMA_MODSIG) {\n" "> +\t\txattr_contents = NULL;\n" "> +\t\txattr_contents_len = 0;\n" "> +\t} else {\n" @@ -143,7 +127,7 @@ "> \t\tbreak;\n" "> \tcase INTEGRITY_NOXATTRS:\t/* No EVM protected xattrs. */\n" "> +\t\t/* It's fine not to have xattrs when using a modsig. */\n" - "> +\t\tif (xattr_value->type = IMA_MODSIG)\n" + "> +\t\tif (xattr_value->type == IMA_MODSIG)\n" "> +\t\t\tbreak;\n" "> \tcase INTEGRITY_NOLABEL:\t\t/* No security.evm xattr. */\n" "> \t\tcause = \"missing-HMAC\";\n" @@ -158,7 +142,7 @@ "> -\t\t\t\t\t (const char *)xattr_value, rc,\n" "> -\t\t\t\t\t iint->ima_hash->digest,\n" "> -\t\t\t\t\t iint->ima_hash->length);\n" - "> +\t\tif (xattr_value->type = EVM_IMA_XATTR_DIGSIG)\n" + "> +\t\tif (xattr_value->type == EVM_IMA_XATTR_DIGSIG)\n" "> +\t\t\trc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,\n" "> +\t\t\t\t\t\t (const char *)xattr_value,\n" "> +\t\t\t\t\t\t rc, iint->ima_hash->digest,\n" @@ -166,7 +150,7 @@ "> +\t\telse\n" "> +\t\t\trc = ima_modsig_verify(INTEGRITY_KEYRING_IMA,\n" "> +\t\t\t\t\t xattr_value);\n" - "> \t\tif (rc = -EOPNOTSUPP) {\n" + "> \t\tif (rc == -EOPNOTSUPP) {\n" "> \t\t\tstatus = INTEGRITY_UNKNOWN;\n" "> \t\t} else if (rc) {\n" "> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c\n" @@ -204,11 +188,11 @@ "> +\t}\n" "> \n" "> -\thash_algo = ima_get_hash_algo(xattr_value, xattr_len);\n" - "> +\tif (hash_algo = HASH_ALGO__LAST)\n" + "> +\tif (hash_algo == HASH_ALGO__LAST)\n" "> +\t\thash_algo = ima_get_hash_algo(xattr_value, xattr_len);\n" "\n" "Previous versions needed to calculate the file hash based on the\n" - "modsig hash algorithm.\302\240\302\240With the introduction of the digest signature\n" + "modsig hash algorithm.??With the introduction of the digest signature\n" "template field ('d-sig'), the file digest field ('d-ng') is always\n" "calculated based on either the xattr hash algorithm, if one exists, or\n" "the IMA default hash algorithm.\n" @@ -230,8 +214,8 @@ "> \n" "\n" "--\n" - "To unsubscribe from this list: send the line \"unsubscribe keyrings\" in\n" - "the body of a message to majordomo@vger.kernel.org\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" More majordomo info at http://vger.kernel.org/majordomo-info.html -5eec3e98e0a0e36e0363754a43b63d9f98d4ca65419fd394a0de7a45f6fee03d +d7174f5cd302afe94a06559df0fa578916a2c18b76ca9ebebf39805d30824531
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.