[PATCH 1/2] ima-evm-utils: Fix ima_verify return value on multiple files

[PATCH 1/2] ima-evm-utils: Fix ima_verify return value on multiple files

[Vitaly Chikunov]

If any tested file results in failure produce failure exit code.
Previously exit code affected only by the last file tested.

Fixes: "Allow multiple files in ima_verify"
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---

I decided not to rebase "Allow multiple files in ima_verify" to not create
merge conflicts with "Namespace some too generic object names".

 src/evmctl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index b02be8b..d33a91e 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -887,7 +887,7 @@ static int verify_ima(const char *file)
 static int cmd_verify_ima(struct command *cmd)
 {
 	char *file = g_argv[optind++];
-	int err;
+	int err, fails = 0;
 
 	if (imaevm_params.keyfile)	/* Support multiple public keys */
 		init_public_keys(imaevm_params.keyfile);
@@ -903,10 +903,12 @@ static int cmd_verify_ima(struct command *cmd)
 
 	do {
 		err = verify_ima(file);
+		if (err)
+			fails++;
 		if (!err && imaevm_params.verbose >= LOG_INFO)
 			log_info("%s: verification is OK\n", file);
 	} while ((file = g_argv[optind++]));
-	return err;
+	return fails > 0;
 }
 
 static int cmd_convert(struct command *cmd)
-- 
2.11.0

[PATCH 2/2] ima-evm-utils: Never exit with -1 code

[Vitaly Chikunov]

Change main() return code from -1 to 125 as -1 is not really valid exit
code. 125 is choosen because exit codes for signals start from 126.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 src/evmctl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/evmctl.c b/src/evmctl.c
index d33a91e..e0a835f 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2100,6 +2100,8 @@ int main(int argc, char *argv[])
 				break;
 			log_err("%s\n", ERR_error_string(error, NULL));
 		}
+		if (err < 0)
+			err = 125;
 	}
 
 	if (eng) {
-- 
2.11.0

Re: [PATCH 1/2] ima-evm-utils: Fix ima_verify return value on multiple files

[Mimi Zohar]

On Sat, 2019-07-27 at 06:18 +0300, Vitaly Chikunov wrote:
> If any tested file results in failure produce failure exit code.
> Previously exit code affected only by the last file tested.
> 
> Fixes: "Allow multiple files in ima_verify"
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
> 
> I decided not to rebase "Allow multiple files in ima_verify" to not create
> merge conflicts with "Namespace some too generic object names".

This is fine, thanks.

Mimi

Re: [PATCH 2/2] ima-evm-utils: Never exit with -1 code

[Mimi Zohar]

On Sat, 2019-07-27 at 06:19 +0300, Vitaly Chikunov wrote:
> Change main() return code from -1 to 125 as -1 is not really valid exit
> code. 125 is choosen because exit codes for signals start from 126.
> 
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
>  src/evmctl.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index d33a91e..e0a835f 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -2100,6 +2100,8 @@ int main(int argc, char *argv[])
>  				break;
>  			log_err("%s\n", ERR_error_string(error, NULL));
>  		}
> +		if (err < 0)
> +			err = 125;
>  	}
>  
>  	if (eng) {

Agreed we need to return better errors, but instead of always
returning 125, would it be better to return the first errno, if err is
-1?

Mimi

Re: [PATCH 2/2] ima-evm-utils: Never exit with -1 code

[Vitaly Chikunov]

Mimi,

On Tue, Jul 30, 2019 at 07:57:10AM -0400, Mimi Zohar wrote:
> On Sat, 2019-07-27 at 06:19 +0300, Vitaly Chikunov wrote:
> > Change main() return code from -1 to 125 as -1 is not really valid exit
> > code. 125 is choosen because exit codes for signals start from 126.
> > 
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> > ---
> >  src/evmctl.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/src/evmctl.c b/src/evmctl.c
> > index d33a91e..e0a835f 100644
> > --- a/src/evmctl.c
> > +++ b/src/evmctl.c
> > @@ -2100,6 +2100,8 @@ int main(int argc, char *argv[])
> >  				break;
> >  			log_err("%s\n", ERR_error_string(error, NULL));
> >  		}
> > +		if (err < 0)
> > +			err = 125;
> >  	}
> >  
> >  	if (eng) {
> 
> Agreed we need to return better errors, but instead of always
> returning 125, would it be better to return the first errno, if err is
> -1?

125 will be not always but only to avoid returning -1 (or any negative).

There is no practice to exit with errno, AFAIK. Plus, errno we have at
the end (and which is reported to user) frequently is bogus and that
should be fixed. (I may do this later maybe, don't know how much work
that would require).

We also wish to reserve some exit code as hard error for tests.

Thanks,

> 
> Mimi

Re: [PATCH 2/2] ima-evm-utils: Never exit with -1 code

[Vitaly Chikunov]

On Tue, Jul 30, 2019 at 03:29:39PM +0300, Vitaly Chikunov wrote:
> On Tue, Jul 30, 2019 at 07:57:10AM -0400, Mimi Zohar wrote:
> > On Sat, 2019-07-27 at 06:19 +0300, Vitaly Chikunov wrote:
> > > +		if (err < 0)
> > > +			err = 125;
> > >  	}
> > >  
> > >  	if (eng) {
> > 
> > Agreed we need to return better errors, but instead of always
> > returning 125, would it be better to return the first errno, if err is
> > -1?
> 
> 125 will be not always but only to avoid returning -1 (or any negative).
> 
> There is no practice to exit with errno, AFAIK. Plus, errno we have at
> the end (and which is reported to user) frequently is bogus and that
> should be fixed. (I may do this later maybe, don't know how much work
> that would require).
> 
> We also wish to reserve some exit code as hard error for tests.

I meant 'we also may wish'... This needs to be thought over.