Received: by 10.213.65.68 with SMTP id h4csp148330imn;
        Thu, 15 Mar 2018 12:19:48 -0700 (PDT)
X-Google-Smtp-Source: AG47ELveSzKfWo/BcGC1uG4JFFHXuUvXUVQCnFSwwxc+vTrW0q8YGdAbMWqeqQLQhNgAWzn4pS3u
X-Received: by 2002:a17:902:a2:: with SMTP id a31-v6mr9266379pla.204.1521141588195;
        Thu, 15 Mar 2018 12:19:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521141588; cv=none;
        d=google.com; s=arc-20160816;
        b=OzzOcOYAGiE3d72KGxjJHkbHc2tT29n/QzxEudN0a+77ebKEiKRyrQcoBViVHFpq2B
         6UD5dviNp8GihhrlkVPJsYzfJbK0DL8IlHs3vujlIPFsWgFCu9TOKAil09Q00/eVzeBR
         yzKJONEGZQDnSCweqtFo2neEO6MCCy42kzZdwbsq7CsVXmmXZY3RLO/oyrWaSidthpGo
         ciAgOom2QbUHwq80RJ94quX6R+SZ2CHe98myEGw0hjNGagtNu9fMVZfD4JROiEbJO1+1
         YBGx56uEjyX0TH/nZG6s/MA6sxFxVQ4YXCTeWBH7RkBOM62PsZ7FshasE8I/TVIj2Kuo
         fCQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject
         :arc-authentication-results;
        bh=qjy82VY4I2gvAnetS+MPNs8NlCS0EmP1RyfR/ENS2hw=;
        b=GCLunohOKi3CBXK5l6WIKo3r93PUH3oCmS5YHOX4Zcg18BeDBh9EGkPKVFjr927/rF
         m4wtH9sOdPr3NifmoSNvl/3wdIarpeF/ssK8x2OSoKm4l0YsUQpI0lWsBu1ipjpoKK36
         OS4NnjqbT+n/H1dPATJdYHlO0DeZUEJsRH0Ouy5U1MYpZ0x7noXmvZ6sTTghjIj+9XY2
         sBUHjlNrQbRhEVCupRECF4uRLV5LojVNpGsq57RI4iH9lcm9ADahdq0bFq2SRjlWT0/M
         WvD3WOsud/hVrqDA9DHhAv/2IbWTI3yKjqssgHrvlzzCFVnwnjS/sny//di4ZZjyK6i/
         pbJw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x75si1577857pfa.74.2018.03.15.12.19.33;
        Thu, 15 Mar 2018 12:19:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752815AbeCOTSr (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Thu, 15 Mar 2018 15:18:47 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:53556 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1752337AbeCOTSo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Mar 2018 15:18:44 -0400
Received: from pps.filterd (m0098393.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2FJIMOt038930
        for <linux-kernel@vger.kernel.org>; Thu, 15 Mar 2018 15:18:43 -0400
Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2gqv6f7wgr-1
        (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Thu, 15 Mar 2018 15:18:43 -0400
Received: from localhost
        by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Thu, 15 Mar 2018 19:18:40 -0000
Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196)
        by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Thu, 15 Mar 2018 19:18:37 -0000
Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61])
        by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w2FJIabU57934010;
        Thu, 15 Mar 2018 19:18:36 GMT
Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 431F311C058;
        Thu, 15 Mar 2018 19:11:13 +0000 (GMT)
Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 4B9B611C04C;
        Thu, 15 Mar 2018 19:11:12 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.80.100.228])
        by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Thu, 15 Mar 2018 19:11:12 +0000 (GMT)
Subject: Re: [PATCH 3/4] ima: Improvements in ima_appraise_measurement()
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
        "Serge E. Hallyn" <serge@hallyn.com>
Cc:     linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, James Morris <jmorris@namei.org>,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Date:   Thu, 15 Mar 2018 15:18:34 -0400
In-Reply-To: <87efkmjjc7.fsf@morokweng.localdomain>
References: <20180314202020.3794-1-bauerman@linux.vnet.ibm.com>
         <20180314202020.3794-4-bauerman@linux.vnet.ibm.com>
         <20180314214045.GC14289@mail.hallyn.com>
         <87efkmjjc7.fsf@morokweng.localdomain>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18031519-0020-0000-0000-00000405797A
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18031519-0021-0000-0000-00004299837D
Message-Id: <1521141514.3547.637.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-15_10:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1803150209
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2018-03-14 at 21:03 -0300, Thiago Jung Bauermann wrote:
> Hello Serge,
> 
> Thanks for quickly reviewing these patches!
> 
> Serge E. Hallyn <serge@hallyn.com> writes:
> 
> > Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com):
> >> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >> @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >>  	}
> >>  
> >>  	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
> >> -	if ((status != INTEGRITY_PASS) &&
> >> -	    (status != INTEGRITY_PASS_IMMUTABLE) &&
> >> -	    (status != INTEGRITY_UNKNOWN)) {
> >> -		if ((status == INTEGRITY_NOLABEL)
> >> -		    || (status == INTEGRITY_NOXATTRS))
> >> -			cause = "missing-HMAC";
> >> -		else if (status == INTEGRITY_FAIL)
> >> -			cause = "invalid-HMAC";
> >> +	switch (status) {
> >> +	case INTEGRITY_PASS:
> >> +	case INTEGRITY_PASS_IMMUTABLE:
> >> +	case INTEGRITY_UNKNOWN:
> >
> > Wouldn't it be more future-proof to replace this with a 'default', or
> > to at least add a "default: BUG()" to catch new status values?
> 
> I agree. I like the "default: BUG()" option.

Agreed.  I would put it at the end after INTEGRITY_FAIL.

> 
> >> +		break;
> >> +	case INTEGRITY_NOXATTRS:	/* No EVM protected xattrs. */
> >> +	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */
> >> +		cause = "missing-HMAC";
> >> +		goto out;
> >> +	case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */
> >> +		cause = "invalid-HMAC";
> >>  		goto out;
> >>  	}
> >> +
> >>  	switch (xattr_value->type) {
> >>  	case IMA_XATTR_DIGEST_NG:
> >>  		/* first byte contains algorithm id */
> >> @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >>  		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> >>  				    op, cause, rc, 0);
> >>  	} else if (status != INTEGRITY_PASS) {
> >> +		/* Fix mode, but don't replace file signatures. */
> >>  		if ((ima_appraise & IMA_APPRAISE_FIX) &&
> >>  		    (!xattr_value ||
> >>  		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
> >>  			if (!ima_fix_xattr(dentry, iint))
> >>  				status = INTEGRITY_PASS;
> >> -		} else if ((inode->i_size == 0) &&
> >> -			   (iint->flags & IMA_NEW_FILE) &&
> >> -			   (xattr_value &&
> >> -			    xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
> >> +		}
> >> +
> >> +		/* Permit new files with file signatures, but without data. */
> >> +		if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
> >
> > This may be correct, but it's not identical to what you're replacing.
> > Since in either case you're setting status to INTEGRITY_PASS the final
> > result is the same, but with a few extra possible steps.  Not sure
> > whether that matters.
> 
> Good point. I'll have to defer this one to Mimi though.

The end result is the same, but add some needed comments.

Mimi

> 
> >
> >> +		    xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
> >>  			status = INTEGRITY_PASS;
> >>  		}
> >> +
> >>  		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> >>  				    op, cause, rc, 0);
> >>  	} else {
> 
>