Received: by 10.213.65.68 with SMTP id h4csp1259666imn; Wed, 14 Mar 2018 14:42:00 -0700 (PDT) X-Google-Smtp-Source: AG47ELsMPBQtTDyUfEoKA+QH2AkswyF5XJhumLIto4qRERG+PkyryDjHRIxhnEFLmSdeamTO+pm6 X-Received: by 2002:a17:902:7185:: with SMTP id b5-v6mr3660798pll.221.1521063720326; Wed, 14 Mar 2018 14:42:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521063720; cv=none; d=google.com; s=arc-20160816; b=dd4Gjtl9SxmRSxc2rqpbDX/WYWcuzi8NHp5rYbv3RQSqirGgSyvifkG0sZwGzfenIh tOGqciDexp48iuyzpQieZExd7WDfF8KleGnBmk9cAK65a/I962YG5n3DTMS4XdQhj/5q lXrDGnW4WdIaSWYhzsd+hqeUNyRVWiFwqT9OtgvDoHaa0gWqaKp1j85ZtFuePJgbLQNN 09ZF2Y/3yfPOU1UXew75iAz9w16IJzlyJvkjLeA1leJYosXcl6cG1BBrbpOFhJ2UZEd6 9tiYEMUNYJ4Z8TZrJAbHwk+fQ9n5D4gez8+Nghx4rfHFmP/TB9P96s+uPzW2PzrGRf3E z+lQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=o9QCpxQd8Nf7RLUlOqH1ivGnCQ7PkYPRduI0JNoNrKI=; b=cvQunku0bFlPoduaXqBzhymIOPV/melsMDmQqbAyGlgnRa8UYAEz7ErZtZ2MZtGYi6 PyworHlqoEWkIKnvk03+rdrUDaDwLPTLI5kaASgExyjLk93911E7pBABSUC+8WaiM/B9 R5RSdf7U/Y61VTzmB3nL3eaBWe6sT1qSnJ1oDjCpC2UeS1Ly/XLiaUSB+ueQb+dfd4o3 uQersWXhdgzGxNGtXge58rbVoeh6jWi5oBE4Cj6DqMoYfWbtljnrZi1a8EibKk0/yJ7J OmbGepith5zNMclvP/CBztuJ1B1dPjHzu1mSYbZBc29EQ/7gOBGuod5aDDnUsm1X50ub 9xvw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f4si2401488pgc.267.2018.03.14.14.41.45; Wed, 14 Mar 2018 14:42:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751944AbeCNVkt (ORCPT + 99 others); Wed, 14 Mar 2018 17:40:49 -0400 Received: from h2.hallyn.com ([78.46.35.8]:45498 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751624AbeCNVkr (ORCPT ); Wed, 14 Mar 2018 17:40:47 -0400 Received: by mail.hallyn.com (Postfix, from userid 1001) id E4EBF1205E6; Wed, 14 Mar 2018 16:40:45 -0500 (CDT) Date: Wed, 14 Mar 2018 16:40:45 -0500 From: "Serge E. Hallyn" To: Thiago Jung Bauermann Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, James Morris , "Serge E. Hallyn" , Mimi Zohar , Dmitry Kasatkin Subject: Re: [PATCH 3/4] ima: Improvements in ima_appraise_measurement() Message-ID: <20180314214045.GC14289@mail.hallyn.com> References: <20180314202020.3794-1-bauerman@linux.vnet.ibm.com> <20180314202020.3794-4-bauerman@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180314202020.3794-4-bauerman@linux.vnet.ibm.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com): > From: Mimi Zohar > > Replace nested ifs in the EVM xattr verification logic with a switch > statement, making the code easier to understand. > > Also, add comments to the if statements in the out section and constify the > cause variable. > > Signed-off-by: Mimi Zohar > Signed-off-by: Thiago Jung Bauermann > --- > security/integrity/ima/ima_appraise.c | 33 ++++++++++++++++++++------------- > 1 file changed, 20 insertions(+), 13 deletions(-) > > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > index 0c5f94b7b9c3..dd10ecbdce45 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -215,7 +215,7 @@ int ima_appraise_measurement(enum ima_hooks func, > int xattr_len, int opened) > { > static const char op[] = "appraise_data"; > - char *cause = "unknown"; > + const char *cause = "unknown"; > struct dentry *dentry = file_dentry(file); > struct inode *inode = d_backing_inode(dentry); > enum integrity_status status = INTEGRITY_UNKNOWN; > @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func, > } > > status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); > - if ((status != INTEGRITY_PASS) && > - (status != INTEGRITY_PASS_IMMUTABLE) && > - (status != INTEGRITY_UNKNOWN)) { > - if ((status == INTEGRITY_NOLABEL) > - || (status == INTEGRITY_NOXATTRS)) > - cause = "missing-HMAC"; > - else if (status == INTEGRITY_FAIL) > - cause = "invalid-HMAC"; > + switch (status) { > + case INTEGRITY_PASS: > + case INTEGRITY_PASS_IMMUTABLE: > + case INTEGRITY_UNKNOWN: Wouldn't it be more future-proof to replace this with a 'default', or to at least add a "default: BUG()" to catch new status values? > + break; > + case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ > + case INTEGRITY_NOLABEL: /* No security.evm xattr. */ > + cause = "missing-HMAC"; > + goto out; > + case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ > + cause = "invalid-HMAC"; > goto out; > } > + > switch (xattr_value->type) { > case IMA_XATTR_DIGEST_NG: > /* first byte contains algorithm id */ > @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func, > integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, > op, cause, rc, 0); > } else if (status != INTEGRITY_PASS) { > + /* Fix mode, but don't replace file signatures. */ > if ((ima_appraise & IMA_APPRAISE_FIX) && > (!xattr_value || > xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { > if (!ima_fix_xattr(dentry, iint)) > status = INTEGRITY_PASS; > - } else if ((inode->i_size == 0) && > - (iint->flags & IMA_NEW_FILE) && > - (xattr_value && > - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { > + } > + > + /* Permit new files with file signatures, but without data. */ > + if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && This may be correct, but it's not identical to what you're replacing. Since in either case you're setting status to INTEGRITY_PASS the final result is the same, but with a few extra possible steps. Not sure whether that matters. > + xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) { > status = INTEGRITY_PASS; > } > + > integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, > op, cause, rc, 0); > } else {