From: "Serge E. Hallyn" <serge@hallyn.com>
To: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [PATCH 3/4] ima: Improvements in ima_appraise_measurement()
Date: Wed, 14 Mar 2018 16:40:45 -0500 [thread overview]
Message-ID: <20180314214045.GC14289@mail.hallyn.com> (raw)
In-Reply-To: <20180314202020.3794-4-bauerman@linux.vnet.ibm.com>
Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com):
> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
>
> Replace nested ifs in the EVM xattr verification logic with a switch
> statement, making the code easier to understand.
>
> Also, add comments to the if statements in the out section and constify the
> cause variable.
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
> ---
> security/integrity/ima/ima_appraise.c | 33 ++++++++++++++++++++-------------
> 1 file changed, 20 insertions(+), 13 deletions(-)
>
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 0c5f94b7b9c3..dd10ecbdce45 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -215,7 +215,7 @@ int ima_appraise_measurement(enum ima_hooks func,
> int xattr_len, int opened)
> {
> static const char op[] = "appraise_data";
> - char *cause = "unknown";
> + const char *cause = "unknown";
> struct dentry *dentry = file_dentry(file);
> struct inode *inode = d_backing_inode(dentry);
> enum integrity_status status = INTEGRITY_UNKNOWN;
> @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> }
>
> status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
> - if ((status != INTEGRITY_PASS) &&
> - (status != INTEGRITY_PASS_IMMUTABLE) &&
> - (status != INTEGRITY_UNKNOWN)) {
> - if ((status == INTEGRITY_NOLABEL)
> - || (status == INTEGRITY_NOXATTRS))
> - cause = "missing-HMAC";
> - else if (status == INTEGRITY_FAIL)
> - cause = "invalid-HMAC";
> + switch (status) {
> + case INTEGRITY_PASS:
> + case INTEGRITY_PASS_IMMUTABLE:
> + case INTEGRITY_UNKNOWN:
Wouldn't it be more future-proof to replace this with a 'default', or
to at least add a "default: BUG()" to catch new status values?
> + break;
> + case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
> + case INTEGRITY_NOLABEL: /* No security.evm xattr. */
> + cause = "missing-HMAC";
> + goto out;
> + case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
> + cause = "invalid-HMAC";
> goto out;
> }
> +
> switch (xattr_value->type) {
> case IMA_XATTR_DIGEST_NG:
> /* first byte contains algorithm id */
> @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> op, cause, rc, 0);
> } else if (status != INTEGRITY_PASS) {
> + /* Fix mode, but don't replace file signatures. */
> if ((ima_appraise & IMA_APPRAISE_FIX) &&
> (!xattr_value ||
> xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
> if (!ima_fix_xattr(dentry, iint))
> status = INTEGRITY_PASS;
> - } else if ((inode->i_size == 0) &&
> - (iint->flags & IMA_NEW_FILE) &&
> - (xattr_value &&
> - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
> + }
> +
> + /* Permit new files with file signatures, but without data. */
> + if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
This may be correct, but it's not identical to what you're replacing.
Since in either case you're setting status to INTEGRITY_PASS the final
result is the same, but with a few extra possible steps. Not sure
whether that matters.
> + xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
> status = INTEGRITY_PASS;
> }
> +
> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> op, cause, rc, 0);
> } else {
WARNING: multiple messages have this Message-ID (diff)
From: serge@hallyn.com (Serge E. Hallyn)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 3/4] ima: Improvements in ima_appraise_measurement()
Date: Wed, 14 Mar 2018 16:40:45 -0500 [thread overview]
Message-ID: <20180314214045.GC14289@mail.hallyn.com> (raw)
In-Reply-To: <20180314202020.3794-4-bauerman@linux.vnet.ibm.com>
Quoting Thiago Jung Bauermann (bauerman at linux.vnet.ibm.com):
> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
>
> Replace nested ifs in the EVM xattr verification logic with a switch
> statement, making the code easier to understand.
>
> Also, add comments to the if statements in the out section and constify the
> cause variable.
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
> ---
> security/integrity/ima/ima_appraise.c | 33 ++++++++++++++++++++-------------
> 1 file changed, 20 insertions(+), 13 deletions(-)
>
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 0c5f94b7b9c3..dd10ecbdce45 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -215,7 +215,7 @@ int ima_appraise_measurement(enum ima_hooks func,
> int xattr_len, int opened)
> {
> static const char op[] = "appraise_data";
> - char *cause = "unknown";
> + const char *cause = "unknown";
> struct dentry *dentry = file_dentry(file);
> struct inode *inode = d_backing_inode(dentry);
> enum integrity_status status = INTEGRITY_UNKNOWN;
> @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> }
>
> status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
> - if ((status != INTEGRITY_PASS) &&
> - (status != INTEGRITY_PASS_IMMUTABLE) &&
> - (status != INTEGRITY_UNKNOWN)) {
> - if ((status == INTEGRITY_NOLABEL)
> - || (status == INTEGRITY_NOXATTRS))
> - cause = "missing-HMAC";
> - else if (status == INTEGRITY_FAIL)
> - cause = "invalid-HMAC";
> + switch (status) {
> + case INTEGRITY_PASS:
> + case INTEGRITY_PASS_IMMUTABLE:
> + case INTEGRITY_UNKNOWN:
Wouldn't it be more future-proof to replace this with a 'default', or
to at least add a "default: BUG()" to catch new status values?
> + break;
> + case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
> + case INTEGRITY_NOLABEL: /* No security.evm xattr. */
> + cause = "missing-HMAC";
> + goto out;
> + case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
> + cause = "invalid-HMAC";
> goto out;
> }
> +
> switch (xattr_value->type) {
> case IMA_XATTR_DIGEST_NG:
> /* first byte contains algorithm id */
> @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> op, cause, rc, 0);
> } else if (status != INTEGRITY_PASS) {
> + /* Fix mode, but don't replace file signatures. */
> if ((ima_appraise & IMA_APPRAISE_FIX) &&
> (!xattr_value ||
> xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
> if (!ima_fix_xattr(dentry, iint))
> status = INTEGRITY_PASS;
> - } else if ((inode->i_size == 0) &&
> - (iint->flags & IMA_NEW_FILE) &&
> - (xattr_value &&
> - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
> + }
> +
> + /* Permit new files with file signatures, but without data. */
> + if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
This may be correct, but it's not identical to what you're replacing.
Since in either case you're setting status to INTEGRITY_PASS the final
result is the same, but with a few extra possible steps. Not sure
whether that matters.
> + xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
> status = INTEGRITY_PASS;
> }
> +
> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> op, cause, rc, 0);
> } else {
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-03-14 21:40 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-14 20:20 [PATCH 0/4] Code improvements in integrity and IMA Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-14 20:20 ` [PATCH 1/4] integrity: Remove unused macro IMA_ACTION_RULE_FLAGS Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-14 21:33 ` Serge E. Hallyn
2018-03-14 21:33 ` Serge E. Hallyn
2018-03-14 20:20 ` [PATCH 2/4] ima: Simplify ima_eventsig_init() Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-14 21:31 ` Serge E. Hallyn
2018-03-14 21:31 ` Serge E. Hallyn
2018-03-14 20:20 ` [PATCH 3/4] ima: Improvements in ima_appraise_measurement() Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-14 21:40 ` Serge E. Hallyn [this message]
2018-03-14 21:40 ` Serge E. Hallyn
2018-03-15 0:03 ` Thiago Jung Bauermann
2018-03-15 0:03 ` Thiago Jung Bauermann
2018-03-15 19:18 ` Mimi Zohar
2018-03-15 19:18 ` Mimi Zohar
2018-03-15 19:18 ` Mimi Zohar
2018-03-15 20:33 ` Thiago Jung Bauermann
2018-03-15 20:33 ` Thiago Jung Bauermann
2018-03-15 20:33 ` Thiago Jung Bauermann
2018-03-17 15:09 ` Serge E. Hallyn
2018-03-17 15:09 ` Serge E. Hallyn
2018-03-14 20:20 ` [PATCH 4/4] integrity: Introduce struct evm_xattr Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-15 21:01 ` [PATCH 0/4] Code improvements in integrity and IMA Mimi Zohar
2018-03-15 21:01 ` Mimi Zohar
2018-03-15 21:01 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180314214045.GC14289@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=bauerman@linux.vnet.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.