diff for duplicates of <8760fpck0x.fsf@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 648e829..b80f483 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -50,15 +50,15 @@ Ok, will do for v3. >> >> - status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); >> - if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) { ->> - if ((status = INTEGRITY_NOLABEL) ->> - || (status = INTEGRITY_NOXATTRS)) +>> - if ((status == INTEGRITY_NOLABEL) +>> - || (status == INTEGRITY_NOXATTRS)) >> + /* Appended signatures aren't protected by EVM. */ >> + status = evm_verifyxattr(dentry, XATTR_NAME_IMA, ->> + xattr_value->type = IMA_MODSIG ? +>> + xattr_value->type == IMA_MODSIG ? >> + NULL : xattr_value, rc, iint); >> + if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN && ->> + !(xattr_value->type = IMA_MODSIG && ->> + (status = INTEGRITY_NOLABEL || status = INTEGRITY_NOXATTRS))) { +>> + !(xattr_value->type == IMA_MODSIG && +>> + (status == INTEGRITY_NOLABEL || status == INTEGRITY_NOXATTRS))) { > > This was messy to begin with, and now it is even more messy. For > appended signatures, we're only interested in INTEGRITY_FAIL. Maybe @@ -74,14 +74,14 @@ Ok, is this what you had in mind? - if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) { + /* Appended signatures aren't protected by EVM. */ + status = evm_verifyxattr(dentry, XATTR_NAME_IMA, -+ xattr_value->type = IMA_MODSIG ? ++ xattr_value->type == IMA_MODSIG ? + NULL : xattr_value, rc, iint); -+ if (xattr_value->type = IMA_MODSIG && status = INTEGRITY_FAIL) { ++ if (xattr_value->type == IMA_MODSIG && status == INTEGRITY_FAIL) { + cause = "invalid-HMAC"; + goto out; + } else if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN) { - if ((status = INTEGRITY_NOLABEL) - || (status = INTEGRITY_NOXATTRS)) + if ((status == INTEGRITY_NOLABEL) + || (status == INTEGRITY_NOXATTRS)) cause = "missing-HMAC"; >> @@ -267,11 +276,18 @@ int ima_appraise_measurement(enum ima_hooks func, @@ -95,7 +95,7 @@ Ok, is this what you had in mind? >> - iint->ima_hash->digest, >> - iint->ima_hash->length); >> + ->> + if (xattr_value->type = EVM_IMA_XATTR_DIGSIG) +>> + if (xattr_value->type == EVM_IMA_XATTR_DIGSIG) >> + rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, >> + (const char *)xattr_value, >> + rc, iint->ima_hash->digest, @@ -140,11 +140,11 @@ More about this code further below. + xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); + algo = iint->ima_hash->algo; + -+ if (!xattr_value || xattr_value->type = IMA_MODSIG || ++ if (!xattr_value || xattr_value->type == IMA_MODSIG || + ima_get_hash_algo(xattr_value, xattr_len) != algo) { + iint->flags |= IMA_DIGSIG; + -+ if (rc = -EOPNOTSUPP) ++ if (rc == -EOPNOTSUPP) + status = INTEGRITY_UNKNOWN; + else { + cause = "invalid-signature"; @@ -166,9 +166,9 @@ More about this code further below. >> if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) >> return -EINVAL; >> ima_reset_appraise_flags(d_backing_inode(dentry), ->> - (xvalue->type = EVM_IMA_XATTR_DIGSIG) ? 1 : 0); ->> + xvalue->type = EVM_IMA_XATTR_DIGSIG || ->> + xvalue->type = IMA_MODSIG); +>> - (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); +>> + xvalue->type == EVM_IMA_XATTR_DIGSIG || +>> + xvalue->type == IMA_MODSIG); > > Probably easier to read if we set a variable, before calling > ima_reset_appraise_flags. diff --git a/a/content_digest b/N1/content_digest index e676952..70455db 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -3,7 +3,7 @@ "ref\01497443972.4287.38.camel@linux.vnet.ibm.com\0" "From\0Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>\0" "Subject\0Re: [PATCH v2 6/6] ima: Support module-style appended signatures for appraisal\0" - "Date\0Wed, 21 Jun 2017 17:45:02 +0000\0" + "Date\0Wed, 21 Jun 2017 14:45:02 -0300\0" "To\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "Cc\0linux-security-module@vger.kernel.org" linux-ima-devel@lists.sourceforge.net @@ -20,7 +20,7 @@ Rusty Russell <rusty@rustcorp.com.au> Herbert Xu <herbert@gondor.apana.org.au> David S. Miller <davem@davemloft.net> - AKASHI + " AKASHI\\" " Takahiro <takahiro.akashi@linaro.org>\0" "\00:1\0" "b\0" @@ -76,15 +76,15 @@ ">> \n" ">> -\tstatus = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);\n" ">> -\tif ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {\n" - ">> -\t\tif ((status = INTEGRITY_NOLABEL)\n" - ">> -\t\t || (status = INTEGRITY_NOXATTRS))\n" + ">> -\t\tif ((status == INTEGRITY_NOLABEL)\n" + ">> -\t\t || (status == INTEGRITY_NOXATTRS))\n" ">> +\t/* Appended signatures aren't protected by EVM. */\n" ">> +\tstatus = evm_verifyxattr(dentry, XATTR_NAME_IMA,\n" - ">> +\t\t\t\t xattr_value->type = IMA_MODSIG ?\n" + ">> +\t\t\t\t xattr_value->type == IMA_MODSIG ?\n" ">> +\t\t\t\t NULL : xattr_value, rc, iint);\n" ">> +\tif (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN &&\n" - ">> +\t !(xattr_value->type = IMA_MODSIG &&\n" - ">> +\t (status = INTEGRITY_NOLABEL || status = INTEGRITY_NOXATTRS))) {\n" + ">> +\t !(xattr_value->type == IMA_MODSIG &&\n" + ">> +\t (status == INTEGRITY_NOLABEL || status == INTEGRITY_NOXATTRS))) {\n" ">\n" "> This was messy to begin with, and now it is even more messy. For\n" "> appended signatures, we're only interested in INTEGRITY_FAIL. Maybe\n" @@ -100,14 +100,14 @@ "-\tif ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {\n" "+\t/* Appended signatures aren't protected by EVM. */\n" "+\tstatus = evm_verifyxattr(dentry, XATTR_NAME_IMA,\n" - "+\t\t\t\t xattr_value->type = IMA_MODSIG ?\n" + "+\t\t\t\t xattr_value->type == IMA_MODSIG ?\n" "+\t\t\t\t NULL : xattr_value, rc, iint);\n" - "+\tif (xattr_value->type = IMA_MODSIG && status = INTEGRITY_FAIL) {\n" + "+\tif (xattr_value->type == IMA_MODSIG && status == INTEGRITY_FAIL) {\n" "+\t\tcause = \"invalid-HMAC\";\n" "+\t\tgoto out;\n" "+\t} else if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN) {\n" - " \t\tif ((status = INTEGRITY_NOLABEL)\n" - " \t\t || (status = INTEGRITY_NOXATTRS))\n" + " \t\tif ((status == INTEGRITY_NOLABEL)\n" + " \t\t || (status == INTEGRITY_NOXATTRS))\n" " \t\t\tcause = \"missing-HMAC\";\n" "\n" ">> @@ -267,11 +276,18 @@ int ima_appraise_measurement(enum ima_hooks func,\n" @@ -121,7 +121,7 @@ ">> -\t\t\t\t\t iint->ima_hash->digest,\n" ">> -\t\t\t\t\t iint->ima_hash->length);\n" ">> +\n" - ">> +\t\tif (xattr_value->type = EVM_IMA_XATTR_DIGSIG)\n" + ">> +\t\tif (xattr_value->type == EVM_IMA_XATTR_DIGSIG)\n" ">> +\t\t\trc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,\n" ">> +\t\t\t\t\t\t (const char *)xattr_value,\n" ">> +\t\t\t\t\t\t rc, iint->ima_hash->digest,\n" @@ -166,11 +166,11 @@ "+\t\txattr_len = ima_read_xattr(file_dentry(file), &xattr_value);\n" "+\t\talgo = iint->ima_hash->algo;\n" "+\n" - "+\t\tif (!xattr_value || xattr_value->type = IMA_MODSIG ||\n" + "+\t\tif (!xattr_value || xattr_value->type == IMA_MODSIG ||\n" "+\t\t ima_get_hash_algo(xattr_value, xattr_len) != algo) {\n" "+\t\t\tiint->flags |= IMA_DIGSIG;\n" "+\n" - "+\t\t\tif (rc = -EOPNOTSUPP)\n" + "+\t\t\tif (rc == -EOPNOTSUPP)\n" "+\t\t\t\tstatus = INTEGRITY_UNKNOWN;\n" "+\t\t\telse {\n" "+\t\t\t\tcause = \"invalid-signature\";\n" @@ -192,9 +192,9 @@ ">> \t\tif (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))\n" ">> \t\t\treturn -EINVAL;\n" ">> \t\tima_reset_appraise_flags(d_backing_inode(dentry),\n" - ">> -\t\t\t (xvalue->type = EVM_IMA_XATTR_DIGSIG) ? 1 : 0);\n" - ">> +\t\t\t\t\t xvalue->type = EVM_IMA_XATTR_DIGSIG ||\n" - ">> +\t\t\t\t\t xvalue->type = IMA_MODSIG);\n" + ">> -\t\t\t (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);\n" + ">> +\t\t\t\t\t xvalue->type == EVM_IMA_XATTR_DIGSIG ||\n" + ">> +\t\t\t\t\t xvalue->type == IMA_MODSIG);\n" ">\n" "> Probably easier to read if we set a variable, before calling\n" "> ima_reset_appraise_flags.\n" @@ -308,4 +308,4 @@ "Thiago Jung Bauermann\n" IBM Linux Technology Center -c8588cf72d19bfa1ff4868ebf2219ce6351ae40a723f18d0dda26d1f58096ae4 +0f38563213adaa0d78248eeff84da4916b8d7124a4943d7ba1a3c3403b5342d3
diff --git a/a/1.txt b/N2/1.txt index 648e829..114077d 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -50,15 +50,15 @@ Ok, will do for v3. >> >> - status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); >> - if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) { ->> - if ((status = INTEGRITY_NOLABEL) ->> - || (status = INTEGRITY_NOXATTRS)) +>> - if ((status == INTEGRITY_NOLABEL) +>> - || (status == INTEGRITY_NOXATTRS)) >> + /* Appended signatures aren't protected by EVM. */ >> + status = evm_verifyxattr(dentry, XATTR_NAME_IMA, ->> + xattr_value->type = IMA_MODSIG ? +>> + xattr_value->type == IMA_MODSIG ? >> + NULL : xattr_value, rc, iint); >> + if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN && ->> + !(xattr_value->type = IMA_MODSIG && ->> + (status = INTEGRITY_NOLABEL || status = INTEGRITY_NOXATTRS))) { +>> + !(xattr_value->type == IMA_MODSIG && +>> + (status == INTEGRITY_NOLABEL || status == INTEGRITY_NOXATTRS))) { > > This was messy to begin with, and now it is even more messy. For > appended signatures, we're only interested in INTEGRITY_FAIL. Maybe @@ -74,14 +74,14 @@ Ok, is this what you had in mind? - if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) { + /* Appended signatures aren't protected by EVM. */ + status = evm_verifyxattr(dentry, XATTR_NAME_IMA, -+ xattr_value->type = IMA_MODSIG ? ++ xattr_value->type == IMA_MODSIG ? + NULL : xattr_value, rc, iint); -+ if (xattr_value->type = IMA_MODSIG && status = INTEGRITY_FAIL) { ++ if (xattr_value->type == IMA_MODSIG && status == INTEGRITY_FAIL) { + cause = "invalid-HMAC"; + goto out; + } else if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN) { - if ((status = INTEGRITY_NOLABEL) - || (status = INTEGRITY_NOXATTRS)) + if ((status == INTEGRITY_NOLABEL) + || (status == INTEGRITY_NOXATTRS)) cause = "missing-HMAC"; >> @@ -267,11 +276,18 @@ int ima_appraise_measurement(enum ima_hooks func, @@ -95,7 +95,7 @@ Ok, is this what you had in mind? >> - iint->ima_hash->digest, >> - iint->ima_hash->length); >> + ->> + if (xattr_value->type = EVM_IMA_XATTR_DIGSIG) +>> + if (xattr_value->type == EVM_IMA_XATTR_DIGSIG) >> + rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, >> + (const char *)xattr_value, >> + rc, iint->ima_hash->digest, @@ -140,11 +140,11 @@ More about this code further below. + xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); + algo = iint->ima_hash->algo; + -+ if (!xattr_value || xattr_value->type = IMA_MODSIG || ++ if (!xattr_value || xattr_value->type == IMA_MODSIG || + ima_get_hash_algo(xattr_value, xattr_len) != algo) { + iint->flags |= IMA_DIGSIG; + -+ if (rc = -EOPNOTSUPP) ++ if (rc == -EOPNOTSUPP) + status = INTEGRITY_UNKNOWN; + else { + cause = "invalid-signature"; @@ -166,9 +166,9 @@ More about this code further below. >> if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) >> return -EINVAL; >> ima_reset_appraise_flags(d_backing_inode(dentry), ->> - (xvalue->type = EVM_IMA_XATTR_DIGSIG) ? 1 : 0); ->> + xvalue->type = EVM_IMA_XATTR_DIGSIG || ->> + xvalue->type = IMA_MODSIG); +>> - (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); +>> + xvalue->type == EVM_IMA_XATTR_DIGSIG || +>> + xvalue->type == IMA_MODSIG); > > Probably easier to read if we set a variable, before calling > ima_reset_appraise_flags. @@ -281,3 +281,8 @@ and xattr sig having to use the same hash algorithm. -- Thiago Jung Bauermann IBM Linux Technology Center + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N2/content_digest index e676952..99d4fa8 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -1,27 +1,10 @@ "ref\01496886555-10082-1-git-send-email-bauerman@linux.vnet.ibm.com\0" "ref\01496886555-10082-7-git-send-email-bauerman@linux.vnet.ibm.com\0" "ref\01497443972.4287.38.camel@linux.vnet.ibm.com\0" - "From\0Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>\0" - "Subject\0Re: [PATCH v2 6/6] ima: Support module-style appended signatures for appraisal\0" - "Date\0Wed, 21 Jun 2017 17:45:02 +0000\0" - "To\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Cc\0linux-security-module@vger.kernel.org" - linux-ima-devel@lists.sourceforge.net - keyrings@vger.kernel.org - linux-crypto@vger.kernel.org - linuxppc-dev@lists.ozlabs.org - linux-kernel@vger.kernel.org - Dmitry Kasatkin <dmitry.kasatkin@gmail.com> - James Morris <james.l.morris@oracle.com> - Serge E. Hallyn <serge@hallyn.com> - David Howells <dhowells@redhat.com> - David Woodhouse <dwmw2@infradead.org> - Jessica Yu <jeyu@redhat.com> - Rusty Russell <rusty@rustcorp.com.au> - Herbert Xu <herbert@gondor.apana.org.au> - David S. Miller <davem@davemloft.net> - AKASHI - " Takahiro <takahiro.akashi@linaro.org>\0" + "From\0bauerman@linux.vnet.ibm.com (Thiago Jung Bauermann)\0" + "Subject\0[PATCH v2 6/6] ima: Support module-style appended signatures for appraisal\0" + "Date\0Wed, 21 Jun 2017 14:45:02 -0300\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "\n" @@ -76,15 +59,15 @@ ">> \n" ">> -\tstatus = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);\n" ">> -\tif ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {\n" - ">> -\t\tif ((status = INTEGRITY_NOLABEL)\n" - ">> -\t\t || (status = INTEGRITY_NOXATTRS))\n" + ">> -\t\tif ((status == INTEGRITY_NOLABEL)\n" + ">> -\t\t || (status == INTEGRITY_NOXATTRS))\n" ">> +\t/* Appended signatures aren't protected by EVM. */\n" ">> +\tstatus = evm_verifyxattr(dentry, XATTR_NAME_IMA,\n" - ">> +\t\t\t\t xattr_value->type = IMA_MODSIG ?\n" + ">> +\t\t\t\t xattr_value->type == IMA_MODSIG ?\n" ">> +\t\t\t\t NULL : xattr_value, rc, iint);\n" ">> +\tif (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN &&\n" - ">> +\t !(xattr_value->type = IMA_MODSIG &&\n" - ">> +\t (status = INTEGRITY_NOLABEL || status = INTEGRITY_NOXATTRS))) {\n" + ">> +\t !(xattr_value->type == IMA_MODSIG &&\n" + ">> +\t (status == INTEGRITY_NOLABEL || status == INTEGRITY_NOXATTRS))) {\n" ">\n" "> This was messy to begin with, and now it is even more messy. For\n" "> appended signatures, we're only interested in INTEGRITY_FAIL. Maybe\n" @@ -100,14 +83,14 @@ "-\tif ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {\n" "+\t/* Appended signatures aren't protected by EVM. */\n" "+\tstatus = evm_verifyxattr(dentry, XATTR_NAME_IMA,\n" - "+\t\t\t\t xattr_value->type = IMA_MODSIG ?\n" + "+\t\t\t\t xattr_value->type == IMA_MODSIG ?\n" "+\t\t\t\t NULL : xattr_value, rc, iint);\n" - "+\tif (xattr_value->type = IMA_MODSIG && status = INTEGRITY_FAIL) {\n" + "+\tif (xattr_value->type == IMA_MODSIG && status == INTEGRITY_FAIL) {\n" "+\t\tcause = \"invalid-HMAC\";\n" "+\t\tgoto out;\n" "+\t} else if (status != INTEGRITY_PASS && status != INTEGRITY_UNKNOWN) {\n" - " \t\tif ((status = INTEGRITY_NOLABEL)\n" - " \t\t || (status = INTEGRITY_NOXATTRS))\n" + " \t\tif ((status == INTEGRITY_NOLABEL)\n" + " \t\t || (status == INTEGRITY_NOXATTRS))\n" " \t\t\tcause = \"missing-HMAC\";\n" "\n" ">> @@ -267,11 +276,18 @@ int ima_appraise_measurement(enum ima_hooks func,\n" @@ -121,7 +104,7 @@ ">> -\t\t\t\t\t iint->ima_hash->digest,\n" ">> -\t\t\t\t\t iint->ima_hash->length);\n" ">> +\n" - ">> +\t\tif (xattr_value->type = EVM_IMA_XATTR_DIGSIG)\n" + ">> +\t\tif (xattr_value->type == EVM_IMA_XATTR_DIGSIG)\n" ">> +\t\t\trc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,\n" ">> +\t\t\t\t\t\t (const char *)xattr_value,\n" ">> +\t\t\t\t\t\t rc, iint->ima_hash->digest,\n" @@ -166,11 +149,11 @@ "+\t\txattr_len = ima_read_xattr(file_dentry(file), &xattr_value);\n" "+\t\talgo = iint->ima_hash->algo;\n" "+\n" - "+\t\tif (!xattr_value || xattr_value->type = IMA_MODSIG ||\n" + "+\t\tif (!xattr_value || xattr_value->type == IMA_MODSIG ||\n" "+\t\t ima_get_hash_algo(xattr_value, xattr_len) != algo) {\n" "+\t\t\tiint->flags |= IMA_DIGSIG;\n" "+\n" - "+\t\t\tif (rc = -EOPNOTSUPP)\n" + "+\t\t\tif (rc == -EOPNOTSUPP)\n" "+\t\t\t\tstatus = INTEGRITY_UNKNOWN;\n" "+\t\t\telse {\n" "+\t\t\t\tcause = \"invalid-signature\";\n" @@ -192,9 +175,9 @@ ">> \t\tif (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))\n" ">> \t\t\treturn -EINVAL;\n" ">> \t\tima_reset_appraise_flags(d_backing_inode(dentry),\n" - ">> -\t\t\t (xvalue->type = EVM_IMA_XATTR_DIGSIG) ? 1 : 0);\n" - ">> +\t\t\t\t\t xvalue->type = EVM_IMA_XATTR_DIGSIG ||\n" - ">> +\t\t\t\t\t xvalue->type = IMA_MODSIG);\n" + ">> -\t\t\t (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);\n" + ">> +\t\t\t\t\t xvalue->type == EVM_IMA_XATTR_DIGSIG ||\n" + ">> +\t\t\t\t\t xvalue->type == IMA_MODSIG);\n" ">\n" "> Probably easier to read if we set a variable, before calling\n" "> ima_reset_appraise_flags.\n" @@ -306,6 +289,11 @@ "\n" "-- \n" "Thiago Jung Bauermann\n" - IBM Linux Technology Center + "IBM Linux Technology Center\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -c8588cf72d19bfa1ff4868ebf2219ce6351ae40a723f18d0dda26d1f58096ae4 +6c651582b5dbab2f4ddca1e092d66eaf6d42fdf01fea88bb410b782a28a04b1f
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.