From: Thiago Jung Bauermann <bauerman@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jessica Yu <jeyu@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>
Subject: [PATCH v7 08/14] ima: Introduce is_signed()
Date: Tue, 22 May 2018 21:12:47 -0300 [thread overview]
Message-ID: <20180523001253.15247-9-bauerman@linux.ibm.com> (raw)
In-Reply-To: <20180523001253.15247-1-bauerman@linux.ibm.com>
With the introduction of another IMA signature type (modsig), some places
will need to check for both of them. It is cleaner to do that if there's a
helper function to tell whether an xattr_value represents an IMA
signature.
Suggested-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
---
security/integrity/ima/ima.h | 5 +++++
security/integrity/ima/ima_appraise.c | 7 +++----
security/integrity/ima/ima_template_lib.c | 2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 354bb5716ce3..43d4aaf31f7a 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -154,6 +154,11 @@ unsigned long ima_get_binary_runtime_size(void);
int ima_init_template(void);
void ima_init_template_list(void);
+static inline bool is_signed(const struct evm_ima_xattr_data *xattr_value)
+{
+ return xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG;
+}
+
/*
* used to protect h_table and sha_table
*/
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index a6b2995b7d0b..bcbbd8f86fe1 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -325,15 +325,14 @@ int ima_appraise_measurement(enum ima_hooks func,
} else if (status != INTEGRITY_PASS) {
/* Fix mode, but don't replace file signatures. */
if ((ima_appraise & IMA_APPRAISE_FIX) &&
- (!xattr_value ||
- xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
+ !is_signed(xattr_value)) {
if (!ima_fix_xattr(dentry, iint))
status = INTEGRITY_PASS;
}
/* Permit new files with file signatures, but without data. */
if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
- xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
+ is_signed(xattr_value)) {
status = INTEGRITY_PASS;
}
@@ -448,7 +447,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
return -EINVAL;
ima_reset_appraise_flags(d_backing_inode(dentry),
- xvalue->type == EVM_IMA_XATTR_DIGSIG);
+ is_signed(xvalue));
result = 0;
}
return result;
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 43752002c222..300912914b17 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -382,7 +382,7 @@ int ima_eventsig_init(struct ima_event_data *event_data,
{
struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
- if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
+ if (!is_signed(xattr_value))
return 0;
return ima_write_template_field_data(xattr_value, event_data->xattr_len,
WARNING: multiple messages have this Message-ID (diff)
From: Thiago Jung Bauermann <bauerman@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jessica Yu <jeyu@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>
Subject: [PATCH v7 08/14] ima: Introduce is_signed()
Date: Wed, 23 May 2018 00:12:47 +0000 [thread overview]
Message-ID: <20180523001253.15247-9-bauerman@linux.ibm.com> (raw)
In-Reply-To: <20180523001253.15247-1-bauerman@linux.ibm.com>
With the introduction of another IMA signature type (modsig), some places
will need to check for both of them. It is cleaner to do that if there's a
helper function to tell whether an xattr_value represents an IMA
signature.
Suggested-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
---
security/integrity/ima/ima.h | 5 +++++
security/integrity/ima/ima_appraise.c | 7 +++----
security/integrity/ima/ima_template_lib.c | 2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 354bb5716ce3..43d4aaf31f7a 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -154,6 +154,11 @@ unsigned long ima_get_binary_runtime_size(void);
int ima_init_template(void);
void ima_init_template_list(void);
+static inline bool is_signed(const struct evm_ima_xattr_data *xattr_value)
+{
+ return xattr_value && xattr_value->type = EVM_IMA_XATTR_DIGSIG;
+}
+
/*
* used to protect h_table and sha_table
*/
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index a6b2995b7d0b..bcbbd8f86fe1 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -325,15 +325,14 @@ int ima_appraise_measurement(enum ima_hooks func,
} else if (status != INTEGRITY_PASS) {
/* Fix mode, but don't replace file signatures. */
if ((ima_appraise & IMA_APPRAISE_FIX) &&
- (!xattr_value ||
- xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
+ !is_signed(xattr_value)) {
if (!ima_fix_xattr(dentry, iint))
status = INTEGRITY_PASS;
}
/* Permit new files with file signatures, but without data. */
if (inode->i_size = 0 && iint->flags & IMA_NEW_FILE &&
- xattr_value && xattr_value->type = EVM_IMA_XATTR_DIGSIG) {
+ is_signed(xattr_value)) {
status = INTEGRITY_PASS;
}
@@ -448,7 +447,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
return -EINVAL;
ima_reset_appraise_flags(d_backing_inode(dentry),
- xvalue->type = EVM_IMA_XATTR_DIGSIG);
+ is_signed(xvalue));
result = 0;
}
return result;
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 43752002c222..300912914b17 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -382,7 +382,7 @@ int ima_eventsig_init(struct ima_event_data *event_data,
{
struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
- if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
+ if (!is_signed(xattr_value))
return 0;
return ima_write_template_field_data(xattr_value, event_data->xattr_len,
WARNING: multiple messages have this Message-ID (diff)
From: bauerman@linux.ibm.com (Thiago Jung Bauermann)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v7 08/14] ima: Introduce is_signed()
Date: Tue, 22 May 2018 21:12:47 -0300 [thread overview]
Message-ID: <20180523001253.15247-9-bauerman@linux.ibm.com> (raw)
In-Reply-To: <20180523001253.15247-1-bauerman@linux.ibm.com>
With the introduction of another IMA signature type (modsig), some places
will need to check for both of them. It is cleaner to do that if there's a
helper function to tell whether an xattr_value represents an IMA
signature.
Suggested-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
---
security/integrity/ima/ima.h | 5 +++++
security/integrity/ima/ima_appraise.c | 7 +++----
security/integrity/ima/ima_template_lib.c | 2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 354bb5716ce3..43d4aaf31f7a 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -154,6 +154,11 @@ unsigned long ima_get_binary_runtime_size(void);
int ima_init_template(void);
void ima_init_template_list(void);
+static inline bool is_signed(const struct evm_ima_xattr_data *xattr_value)
+{
+ return xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG;
+}
+
/*
* used to protect h_table and sha_table
*/
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index a6b2995b7d0b..bcbbd8f86fe1 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -325,15 +325,14 @@ int ima_appraise_measurement(enum ima_hooks func,
} else if (status != INTEGRITY_PASS) {
/* Fix mode, but don't replace file signatures. */
if ((ima_appraise & IMA_APPRAISE_FIX) &&
- (!xattr_value ||
- xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
+ !is_signed(xattr_value)) {
if (!ima_fix_xattr(dentry, iint))
status = INTEGRITY_PASS;
}
/* Permit new files with file signatures, but without data. */
if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
- xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
+ is_signed(xattr_value)) {
status = INTEGRITY_PASS;
}
@@ -448,7 +447,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
return -EINVAL;
ima_reset_appraise_flags(d_backing_inode(dentry),
- xvalue->type == EVM_IMA_XATTR_DIGSIG);
+ is_signed(xvalue));
result = 0;
}
return result;
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 43752002c222..300912914b17 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -382,7 +382,7 @@ int ima_eventsig_init(struct ima_event_data *event_data,
{
struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
- if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
+ if (!is_signed(xattr_value))
return 0;
return ima_write_template_field_data(xattr_value, event_data->xattr_len,
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-05-23 0:12 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-23 0:12 [PATCH v7 00/14] Appended signatures support for IMA appraisal Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 01/14] MODSIGN: Export module signature definitions Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 02/14] PKCS#7: Refactor verify_pkcs7_signature() and add pkcs7_get_message_sig() Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 03/14] PKCS#7: Introduce pkcs7_get_digest() Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 04/14] integrity: Introduce struct evm_xattr Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 05/14] integrity: Introduce integrity_keyring_from_id() Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 06/14] integrity: Introduce asymmetric_sig_has_known_key() Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 07/14] integrity: Select CONFIG_KEYS instead of depending on it Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann [this message]
2018-05-23 0:12 ` [PATCH v7 08/14] ima: Introduce is_signed() Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 09/14] ima: Export func_tokens Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 10/14] ima: Add modsig appraise_type option for module-style appended signatures Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 11/14] ima: Implement support " Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 12/14] ima: Add new "d-sig" template field Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 13/14] ima: Write modsig to the measurement list Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` [PATCH v7 14/14] ima: Store the measurement again when appraising a modsig Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
2018-05-23 0:12 ` Thiago Jung Bauermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180523001253.15247-9-bauerman@linux.ibm.com \
--to=bauerman@linux.ibm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jeyu@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=serge@hallyn.com \
--cc=takahiro.akashi@linaro.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.