[PATCH] ima: fix error handling logic when file measurement failed

linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ima: fix error handling logic when file measurement failed
@ 2023-01-04  3:41 Matt Bobrowski
  2023-01-22 23:41 ` Matt Bobrowski
  0 siblings, 1 reply; 4+ messages in thread
From: Matt Bobrowski @ 2023-01-04  3:41 UTC (permalink / raw)
  To: zohar, dmitry.kasatkin; +Cc: linux-integrity

Restore the error handling logic so that when file measurement fails,
the respective iint entry is not left with the digest data being
populated with zeroes.

Fixes: 54f03916fb89 ("ima: permit fsverity's file digests in the IMA measurement list")
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
---
 security/integrity/ima/ima_api.c  | 2 +-
 security/integrity/ima/ima_main.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index c1e76282b5ee..1e3a7a4f8833 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -292,7 +292,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
 		result = ima_calc_file_hash(file, &hash.hdr);
 	}
 
-	if (result == -ENOMEM)
+	if (result && result != -EBADF && result != -EINVAL)
 		goto out;
 
 	length = sizeof(hash.hdr) + hash.hdr.length;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 377300973e6c..b1ae0f2751f1 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -337,7 +337,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
 
 	rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
-	if (rc == -ENOMEM)
+	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
 		goto out_locked;
 
 	if (!pathbuf)	/* ima_rdwr_violation possibly pre-fetched */
-- 
2.39.0.314.g84b9a713c41-goog

/M

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: fix error handling logic when file measurement failed
  2023-01-04  3:41 [PATCH] ima: fix error handling logic when file measurement failed Matt Bobrowski
@ 2023-01-22 23:41 ` Matt Bobrowski
  2023-01-23  0:54   ` Mimi Zohar
  0 siblings, 1 reply; 4+ messages in thread
From: Matt Bobrowski @ 2023-01-22 23:41 UTC (permalink / raw)
  To: zohar, dmitry.kasatkin; +Cc: linux-integrity

Hey Mimi,

Just a gentle ping on this one. 

On Wed, Jan 04, 2023 at 03:41:44AM +0000, Matt Bobrowski wrote:
> Restore the error handling logic so that when file measurement fails,
> the respective iint entry is not left with the digest data being
> populated with zeroes.
> 
> Fixes: 54f03916fb89 ("ima: permit fsverity's file digests in the IMA measurement list")
> Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
> ---
>  security/integrity/ima/ima_api.c  | 2 +-
>  security/integrity/ima/ima_main.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> index c1e76282b5ee..1e3a7a4f8833 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -292,7 +292,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
>  		result = ima_calc_file_hash(file, &hash.hdr);
>  	}
>  
> -	if (result == -ENOMEM)
> +	if (result && result != -EBADF && result != -EINVAL)
>  		goto out;
>  
>  	length = sizeof(hash.hdr) + hash.hdr.length;
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 377300973e6c..b1ae0f2751f1 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -337,7 +337,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
>  	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
>  
>  	rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
> -	if (rc == -ENOMEM)
> +	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
>  		goto out_locked;
>  
>  	if (!pathbuf)	/* ima_rdwr_violation possibly pre-fetched */
> -- 
> 2.39.0.314.g84b9a713c41-goog

/M

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: fix error handling logic when file measurement failed
  2023-01-22 23:41 ` Matt Bobrowski
@ 2023-01-23  0:54   ` Mimi Zohar
  2023-01-23  1:25     ` Matt Bobrowski
  0 siblings, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2023-01-23  0:54 UTC (permalink / raw)
  To: Matt Bobrowski, dmitry.kasatkin; +Cc: linux-integrity

Hi Matt,

On Sun, 2023-01-22 at 23:41 +0000, Matt Bobrowski wrote:
> Hey Mimi,
> 
> Just a gentle ping on this one. 
> 
> On Wed, Jan 04, 2023 at 03:41:44AM +0000, Matt Bobrowski wrote:
> > Restore the error handling logic so that when file measurement fails,
> > the respective iint entry is not left with the digest data being
> > populated with zeroes.
> > 
> > Fixes: 54f03916fb89 ("ima: permit fsverity's file digests in the IMA measurement list")
> > Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>

As of Friday, they're both queued in the next-integrity branch and in
linux-next shortly.

-- 
thanks,

Mimi


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: fix error handling logic when file measurement failed
  2023-01-23  0:54   ` Mimi Zohar
@ 2023-01-23  1:25     ` Matt Bobrowski
  0 siblings, 0 replies; 4+ messages in thread
From: Matt Bobrowski @ 2023-01-23  1:25 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: dmitry.kasatkin, linux-integrity

On Sun, Jan 22, 2023 at 07:54:00PM -0500, Mimi Zohar wrote:
> Hi Matt,
> 
> On Sun, 2023-01-22 at 23:41 +0000, Matt Bobrowski wrote:
> > Hey Mimi,
> > 
> > Just a gentle ping on this one. 
> > 
> > On Wed, Jan 04, 2023 at 03:41:44AM +0000, Matt Bobrowski wrote:
> > > Restore the error handling logic so that when file measurement fails,
> > > the respective iint entry is not left with the digest data being
> > > populated with zeroes.
> > > 
> > > Fixes: 54f03916fb89 ("ima: permit fsverity's file digests in the IMA measurement list")
> > > Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
> 
> As of Friday, they're both queued in the next-integrity branch and in
> linux-next shortly.

Oh, cool. I should've checked your tree before reaching out. Thanks
for the confirmation though.

/M

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-01-23  1:26 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-04  3:41 [PATCH] ima: fix error handling logic when file measurement failed Matt Bobrowski
2023-01-22 23:41 ` Matt Bobrowski
2023-01-23  0:54   ` Mimi Zohar
2023-01-23  1:25     ` Matt Bobrowski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).