linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA
@ 2021-06-30 19:33 Stefan Berger
  2021-06-30 19:33 ` [PATCH ima-evm-utils 1/3] libimaevm: Remove calculation of a digest over a device file Stefan Berger
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Stefan Berger @ 2021-06-30 19:33 UTC (permalink / raw)
  To: linux-integrity; +Cc: zohar, Stefan Berger

Remove digest calculations over directories, symbolic links, and device files
since those and related signature verifications are not supported by IMA in
the kernel.

Regards,
   Stefan

Stefan Berger (3):
  libimaevm: Remove calculation of a digest over a device file
  libimaevm: Remove calculation of a digest over a directory
  libimaevm: Remove calculation of a digest over a symbolic link

 src/libimaevm.c | 68 -------------------------------------------------
 1 file changed, 68 deletions(-)

-- 
2.31.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH ima-evm-utils 1/3] libimaevm: Remove calculation of a digest over a device file
  2021-06-30 19:33 [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA Stefan Berger
@ 2021-06-30 19:33 ` Stefan Berger
  2021-06-30 19:33 ` [PATCH ima-evm-utils 2/3] libimaevm: Remove calculation of a digest over a directory Stefan Berger
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Stefan Berger @ 2021-06-30 19:33 UTC (permalink / raw)
  To: linux-integrity; +Cc: zohar, Stefan Berger

Signature verification on device files is not supported by IMA in the
kernel, so remove calculation of digests over devices files.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/libimaevm.c | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 2856270..4d51901 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -225,16 +225,6 @@ static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
 	return !EVP_DigestUpdate(ctx, buf, len);
 }
 
-static int add_dev_hash(struct stat *st, EVP_MD_CTX *ctx)
-{
-	uint32_t dev = st->st_rdev;
-	unsigned major = (dev & 0xfff00) >> 8;
-	unsigned minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
-
-	log_info("device: %u:%u\n", major, minor);
-	return !EVP_DigestUpdate(ctx, &dev, sizeof(dev));
-}
-
 int ima_calc_hash(const char *file, uint8_t *hash)
 {
 	const EVP_MD *md;
@@ -281,10 +271,6 @@ int ima_calc_hash(const char *file, uint8_t *hash)
 	case S_IFLNK:
 		err = add_link_hash(file, pctx);
 		break;
-	case S_IFIFO: case S_IFSOCK:
-	case S_IFCHR: case S_IFBLK:
-		err = add_dev_hash(&st, pctx);
-		break;
 	default:
 		log_err("Unsupported file type (0x%x)", st.st_mode & S_IFMT);
 		err = -1;
-- 
2.31.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH ima-evm-utils 2/3] libimaevm: Remove calculation of a digest over a directory
  2021-06-30 19:33 [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA Stefan Berger
  2021-06-30 19:33 ` [PATCH ima-evm-utils 1/3] libimaevm: Remove calculation of a digest over a device file Stefan Berger
@ 2021-06-30 19:33 ` Stefan Berger
  2021-06-30 19:33 ` [PATCH ima-evm-utils 3/3] libimaevm: Remove calculation of a digest over a symbolic link Stefan Berger
  2021-07-06 18:52 ` [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA Mimi Zohar
  3 siblings, 0 replies; 5+ messages in thread
From: Stefan Berger @ 2021-06-30 19:33 UTC (permalink / raw)
  To: linux-integrity; +Cc: zohar, Stefan Berger

Signature verification on directories is not supported by IMA in the
kernel, so remove the calculation of digests over directories.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/libimaevm.c | 37 -------------------------------------
 1 file changed, 37 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 4d51901..07a25c9 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -177,40 +177,6 @@ out:
 	return err;
 }
 
-static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
-{
-	struct dirent *de;
-	DIR *dir;
-	unsigned long long ino;
-	unsigned int type;
-	int result = 0;
-
-	dir = opendir(file);
-	if (!dir) {
-		log_err("Failed to open: %s\n", file);
-		return -1;
-	}
-
-	while ((de = readdir(dir))) {
-		ino = de->d_ino;
-		type = de->d_type;
-		log_debug("entry: %s, ino: %llu, type: %u, reclen: %hu\n",
-			  de->d_name, ino, type, de->d_reclen);
-		if (EVP_DigestUpdate(ctx, de->d_name, strlen(de->d_name)) != 1 ||
-		    EVP_DigestUpdate(ctx, &ino, sizeof(ino)) != 1||
-		    EVP_DigestUpdate(ctx, &type, sizeof(type)) != 1) {
-			log_err("EVP_DigestUpdate() failed\n");
-			output_openssl_errors();
-			result = 1;
-			break;
-		}
-	}
-
-	closedir(dir);
-
-	return result;
-}
-
 static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
 {
 	int len;
@@ -265,9 +231,6 @@ int ima_calc_hash(const char *file, uint8_t *hash)
 	case S_IFREG:
 		err = add_file_hash(file, pctx);
 		break;
-	case S_IFDIR:
-		err = add_dir_hash(file, pctx);
-		break;
 	case S_IFLNK:
 		err = add_link_hash(file, pctx);
 		break;
-- 
2.31.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH ima-evm-utils 3/3] libimaevm: Remove calculation of a digest over a symbolic link
  2021-06-30 19:33 [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA Stefan Berger
  2021-06-30 19:33 ` [PATCH ima-evm-utils 1/3] libimaevm: Remove calculation of a digest over a device file Stefan Berger
  2021-06-30 19:33 ` [PATCH ima-evm-utils 2/3] libimaevm: Remove calculation of a digest over a directory Stefan Berger
@ 2021-06-30 19:33 ` Stefan Berger
  2021-07-06 18:52 ` [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA Mimi Zohar
  3 siblings, 0 replies; 5+ messages in thread
From: Stefan Berger @ 2021-06-30 19:33 UTC (permalink / raw)
  To: linux-integrity; +Cc: zohar, Stefan Berger

Signature verification on symbolic links is not supported by IMA in the
kernel, so remove the calculation of digests over symbolic links.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/libimaevm.c | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 07a25c9..6591d20 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -177,20 +177,6 @@ out:
 	return err;
 }
 
-static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
-{
-	int len;
-	char buf[1024];
-
-	len = readlink(path, buf, sizeof(buf));
-	/* 0-length links are also an error */
-	if (len <= 0)
-		return -1;
-
-	log_info("link: %s -> %.*s\n", path, len, buf);
-	return !EVP_DigestUpdate(ctx, buf, len);
-}
-
 int ima_calc_hash(const char *file, uint8_t *hash)
 {
 	const EVP_MD *md;
@@ -231,9 +217,6 @@ int ima_calc_hash(const char *file, uint8_t *hash)
 	case S_IFREG:
 		err = add_file_hash(file, pctx);
 		break;
-	case S_IFLNK:
-		err = add_link_hash(file, pctx);
-		break;
 	default:
 		log_err("Unsupported file type (0x%x)", st.st_mode & S_IFMT);
 		err = -1;
-- 
2.31.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA
  2021-06-30 19:33 [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA Stefan Berger
                   ` (2 preceding siblings ...)
  2021-06-30 19:33 ` [PATCH ima-evm-utils 3/3] libimaevm: Remove calculation of a digest over a symbolic link Stefan Berger
@ 2021-07-06 18:52 ` Mimi Zohar
  3 siblings, 0 replies; 5+ messages in thread
From: Mimi Zohar @ 2021-07-06 18:52 UTC (permalink / raw)
  To: Stefan Berger, linux-integrity

Hi Stefan,

On Wed, 2021-06-30 at 15:33 -0400, Stefan Berger wrote:
> Remove digest calculations over directories, symbolic links, and device files
> since those and related signature verifications are not supported by IMA in
> the kernel.
> 
> Regards,
>    Stefan

Thanks, Stefan.  Other than removing the related features from the
README, it looks good.

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>


> Stefan Berger (3):
>   libimaevm: Remove calculation of a digest over a device file
>   libimaevm: Remove calculation of a digest over a directory
>   libimaevm: Remove calculation of a digest over a symbolic link
> 
>  src/libimaevm.c | 68 -------------------------------------------------
>  1 file changed, 68 deletions(-)
> 



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-07-06 18:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-30 19:33 [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA Stefan Berger
2021-06-30 19:33 ` [PATCH ima-evm-utils 1/3] libimaevm: Remove calculation of a digest over a device file Stefan Berger
2021-06-30 19:33 ` [PATCH ima-evm-utils 2/3] libimaevm: Remove calculation of a digest over a directory Stefan Berger
2021-06-30 19:33 ` [PATCH ima-evm-utils 3/3] libimaevm: Remove calculation of a digest over a symbolic link Stefan Berger
2021-07-06 18:52 ` [PATCH ima-evm-utils 0/3] libimaevm: Remove digest calculations not supported by IMA Mimi Zohar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).