[PATCH ima-evm-utils v2 0/4] libimaevm: Remove digest calculations not supported by IMA

[PATCH ima-evm-utils v2 0/4] libimaevm: Remove digest calculations not supported by IMA

[Stefan Berger]

Remove digest calculations over directories, symbolic links, and device files
since those and related signature verifications are not supported by IMA in
the kernel.

Regards,
   Stefan

v2:
  - added patch 1/4 that removes filering on IMA unsupported file types
  - added Mimi's R-b tags to other patches


Stefan Berger (4):
  evmctl: Remove filtering support for file types unsupported by IMA
  libimaevm: Remove calculation of a digest over a device file
  libimaevm: Remove calculation of a digest over a directory
  libimaevm: Remove calculation of a digest over a symbolic link

 README          |  2 +-
 src/evmctl.c    | 13 +---------
 src/libimaevm.c | 68 -------------------------------------------------
 3 files changed, 2 insertions(+), 81 deletions(-)

-- 
2.31.1

[PATCH ima-evm-utils v2 1/4] evmctl: Remove filtering support for file types unsupported by IMA

[Stefan Berger]

Remove support for filtering on file types unsupported by IMA from evmctl.
This now prevents func(de->d_name) to be invoked on symlinks, block device
files, etc. since signature verification on those file types is not
supported by IMA in the kernel.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 README       |  2 +-
 src/evmctl.c | 13 +------------
 2 files changed, 2 insertions(+), 13 deletions(-)

diff --git a/README b/README
index 321045d..2ccac46 100644
--- a/README
+++ b/README
@@ -51,7 +51,7 @@ OPTIONS
   -o, --portable     generate portable EVM signatures
   -p, --pass         password for encrypted signing key
   -r, --recursive    recurse into directories (sign)
-  -t, --type         file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
+  -t, --type         file types to fix 'fxm' (f: file)
                      x - skip fixing if both ima and evm xattrs exist (use with caution)
                      m - stay on the same filesystem (like 'find -xdev')
   -n                 print result to stdout instead of setting xattr
diff --git a/src/evmctl.c b/src/evmctl.c
index 7a6f202..04f14af 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -142,10 +142,6 @@ typedef int (*find_cb_t)(const char *path);
 static int find(const char *path, int dts, find_cb_t func);
 
 #define REG_MASK	(1 << DT_REG)
-#define DIR_MASK	(1 << DT_DIR)
-#define LNK_MASK	(1 << DT_LNK)
-#define CHR_MASK	(1 << DT_CHR)
-#define BLK_MASK	(1 << DT_BLK)
 
 struct command cmds[];
 static void print_usage(struct command *cmd);
@@ -668,10 +664,6 @@ static int get_file_type(const char *path, const char *search_type)
 		switch (search_type[i]) {
 		case 'f':
 			dts |= REG_MASK; break;
-		case 'd':
-			dts |= DIR_MASK; break;
-		case 's':
-			dts |= BLK_MASK | CHR_MASK | LNK_MASK; break;
 		case 'x':
 			check_xattr = true; break;
 		case 'm':
@@ -1371,9 +1363,6 @@ static int find(const char *path, int dts, find_cb_t func)
 		return -1;
 	}
 
-	if (dts & DIR_MASK)
-		func(path);
-
 	closedir(dir);
 
 	return 0;
@@ -2517,7 +2506,7 @@ static void usage(void)
 		"  -o, --portable     generate portable EVM signatures\n"
 		"  -p, --pass         password for encrypted signing key\n"
 		"  -r, --recursive    recurse into directories (sign)\n"
-		"  -t, --type         file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)\n"
+		"  -t, --type         file types to fix 'fxm' (f: file)\n"
 		"                     x - skip fixing if both ima and evm xattrs exist (use with caution)\n"
 		"                     m - stay on the same filesystem (like 'find -xdev')\n"
 		"  -n                 print result to stdout instead of setting xattr\n"
-- 
2.31.1

[PATCH ima-evm-utils v2 2/4] libimaevm: Remove calculation of a digest over a device file

[Stefan Berger]

Signature verification on device files is not supported by IMA in the
kernel, so remove calculation of digests over devices files.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/libimaevm.c | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 2856270..4d51901 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -225,16 +225,6 @@ static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
 	return !EVP_DigestUpdate(ctx, buf, len);
 }
 
-static int add_dev_hash(struct stat *st, EVP_MD_CTX *ctx)
-{
-	uint32_t dev = st->st_rdev;
-	unsigned major = (dev & 0xfff00) >> 8;
-	unsigned minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
-
-	log_info("device: %u:%u\n", major, minor);
-	return !EVP_DigestUpdate(ctx, &dev, sizeof(dev));
-}
-
 int ima_calc_hash(const char *file, uint8_t *hash)
 {
 	const EVP_MD *md;
@@ -281,10 +271,6 @@ int ima_calc_hash(const char *file, uint8_t *hash)
 	case S_IFLNK:
 		err = add_link_hash(file, pctx);
 		break;
-	case S_IFIFO: case S_IFSOCK:
-	case S_IFCHR: case S_IFBLK:
-		err = add_dev_hash(&st, pctx);
-		break;
 	default:
 		log_err("Unsupported file type (0x%x)", st.st_mode & S_IFMT);
 		err = -1;
-- 
2.31.1

[PATCH ima-evm-utils v2 3/4] libimaevm: Remove calculation of a digest over a directory

[Stefan Berger]

Signature verification on directories is not supported by IMA in the
kernel, so remove the calculation of digests over directories.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/libimaevm.c | 37 -------------------------------------
 1 file changed, 37 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 4d51901..07a25c9 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -177,40 +177,6 @@ out:
 	return err;
 }
 
-static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
-{
-	struct dirent *de;
-	DIR *dir;
-	unsigned long long ino;
-	unsigned int type;
-	int result = 0;
-
-	dir = opendir(file);
-	if (!dir) {
-		log_err("Failed to open: %s\n", file);
-		return -1;
-	}
-
-	while ((de = readdir(dir))) {
-		ino = de->d_ino;
-		type = de->d_type;
-		log_debug("entry: %s, ino: %llu, type: %u, reclen: %hu\n",
-			  de->d_name, ino, type, de->d_reclen);
-		if (EVP_DigestUpdate(ctx, de->d_name, strlen(de->d_name)) != 1 ||
-		    EVP_DigestUpdate(ctx, &ino, sizeof(ino)) != 1||
-		    EVP_DigestUpdate(ctx, &type, sizeof(type)) != 1) {
-			log_err("EVP_DigestUpdate() failed\n");
-			output_openssl_errors();
-			result = 1;
-			break;
-		}
-	}
-
-	closedir(dir);
-
-	return result;
-}
-
 static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
 {
 	int len;
@@ -265,9 +231,6 @@ int ima_calc_hash(const char *file, uint8_t *hash)
 	case S_IFREG:
 		err = add_file_hash(file, pctx);
 		break;
-	case S_IFDIR:
-		err = add_dir_hash(file, pctx);
-		break;
 	case S_IFLNK:
 		err = add_link_hash(file, pctx);
 		break;
-- 
2.31.1

[PATCH ima-evm-utils v2 4/4] libimaevm: Remove calculation of a digest over a symbolic link

[Stefan Berger]

Signature verification on symbolic links is not supported by IMA in the
kernel, so remove the calculation of digests over symbolic links.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/libimaevm.c | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 07a25c9..6591d20 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -177,20 +177,6 @@ out:
 	return err;
 }
 
-static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
-{
-	int len;
-	char buf[1024];
-
-	len = readlink(path, buf, sizeof(buf));
-	/* 0-length links are also an error */
-	if (len <= 0)
-		return -1;
-
-	log_info("link: %s -> %.*s\n", path, len, buf);
-	return !EVP_DigestUpdate(ctx, buf, len);
-}
-
 int ima_calc_hash(const char *file, uint8_t *hash)
 {
 	const EVP_MD *md;
@@ -231,9 +217,6 @@ int ima_calc_hash(const char *file, uint8_t *hash)
 	case S_IFREG:
 		err = add_file_hash(file, pctx);
 		break;
-	case S_IFLNK:
-		err = add_link_hash(file, pctx);
-		break;
 	default:
 		log_err("Unsupported file type (0x%x)", st.st_mode & S_IFMT);
 		err = -1;
-- 
2.31.1