Received: by 10.213.65.68 with SMTP id h4csp404051imn; Sat, 17 Mar 2018 08:12:03 -0700 (PDT) X-Google-Smtp-Source: AG47ELtG9qL4GA4A/1853HOzClHTsJhtEdZVXfohc+Osj+52N2z/Tpc4BZUo+Jm4lt9pl2oqp9ou X-Received: by 10.99.146.66 with SMTP id s2mr4604334pgn.372.1521299523218; Sat, 17 Mar 2018 08:12:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521299523; cv=none; d=google.com; s=arc-20160816; b=AwxJeJiwWhw2lLipPL+t7UU7EsKFQ8PEiqZqcXHeN/9z0LBIDh5sDDuDfvtFkKaYQd 23zYLiwFCqXv82mF/hLctsHKFw8UFApVTAtvlA0LihgbutwMx9ezWfJePfrCZthO3q0V Gwl6qxA0AZKdssflUhxBe/0w+3W2hSfuQOkQ/hXCDrdkzx/HgyHArRvmfyBQQ7TGO8ob aTJdaZ/Ycrobg6JaXxFy0u0E+Ch75G34fpJ28oWaDlfxugEN73+N3RvNVnpxHBcm6Geh qYj04300CUlUSBxDymeup68s28ijBYtXMByWCQFJHf4IuBqcSX9VhFNcX/fI9rx3Rdt4 WQjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=2vrzyH607YkTyg/QKvQlsTTiXKFWyZ/An7FOb9K/E7Q=; b=fTBwtPE2nQ888krjTXI/TOdqHcD6u+o50gnIvVzF2l5TGvWlJQPZwb8oDF+m9mv3tc 343YuHo743oKfpSCZJyLCdoHEUD5Y3nWyYqKjHyEmu6h+XfzuJstbTlx1uSowBaXa2aR agnUJ2nvlvBK+K85ulEoju6Z/jJUbwJLsf8mFivOX9xEPx2D1tLWQS1uUmeVX1w+J/uX gmNaNaqa7+Z3cuLH5fONDpWyw/2Du0OA4g/WJF2ToZT3JsvEkGQYeOfhFzDKebUrClhS 3nU6ZmC/XohdCMDSK4hDF4fDea1H8zbbxBT7FJKTulnKs6Fc5fAi1wCZrqDF4Atj2Qm2 ZKeQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f15-v6si928400plr.454.2018.03.17.08.11.48; Sat, 17 Mar 2018 08:12:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752930AbeCQPJs (ORCPT + 99 others); Sat, 17 Mar 2018 11:09:48 -0400 Received: from h2.hallyn.com ([78.46.35.8]:59750 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751743AbeCQPJn (ORCPT ); Sat, 17 Mar 2018 11:09:43 -0400 Received: by mail.hallyn.com (Postfix, from userid 1001) id 2B17E1205E7; Sat, 17 Mar 2018 10:09:42 -0500 (CDT) Date: Sat, 17 Mar 2018 10:09:42 -0500 From: "Serge E. Hallyn" To: Thiago Jung Bauermann Cc: Mimi Zohar , "Serge E. Hallyn" , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, James Morris , Dmitry Kasatkin Subject: Re: [PATCH 3/4] ima: Improvements in ima_appraise_measurement() Message-ID: <20180317150942.GA10607@mail.hallyn.com> References: <20180314202020.3794-1-bauerman@linux.vnet.ibm.com> <20180314202020.3794-4-bauerman@linux.vnet.ibm.com> <20180314214045.GC14289@mail.hallyn.com> <87efkmjjc7.fsf@morokweng.localdomain> <1521141514.3547.637.camel@linux.vnet.ibm.com> <874llhoz89.fsf@morokweng.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <874llhoz89.fsf@morokweng.localdomain> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com): > > Mimi Zohar writes: > > On Wed, 2018-03-14 at 21:03 -0300, Thiago Jung Bauermann wrote: > >> Hello Serge, > >> > >> Thanks for quickly reviewing these patches! > >> > >> Serge E. Hallyn writes: > >> > >> > Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com): > >> >> From: Mimi Zohar > >> >> @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func, > >> >> } > >> >> > >> >> status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); > >> >> - if ((status != INTEGRITY_PASS) && > >> >> - (status != INTEGRITY_PASS_IMMUTABLE) && > >> >> - (status != INTEGRITY_UNKNOWN)) { > >> >> - if ((status == INTEGRITY_NOLABEL) > >> >> - || (status == INTEGRITY_NOXATTRS)) > >> >> - cause = "missing-HMAC"; > >> >> - else if (status == INTEGRITY_FAIL) > >> >> - cause = "invalid-HMAC"; > >> >> + switch (status) { > >> >> + case INTEGRITY_PASS: > >> >> + case INTEGRITY_PASS_IMMUTABLE: > >> >> + case INTEGRITY_UNKNOWN: > >> > > >> > Wouldn't it be more future-proof to replace this with a 'default', or > >> > to at least add a "default: BUG()" to catch new status values? > >> > >> I agree. I like the "default: BUG()" option. > > > > Agreed. I would put it at the end after INTEGRITY_FAIL. > > Ok, what about the version below? Since the status is returned by evm, it seems like an actual BUG() is appropriate, but ok. Acked-by: Serge Hallyn > > >> > >> >> + break; > >> >> + case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ > >> >> + case INTEGRITY_NOLABEL: /* No security.evm xattr. */ > >> >> + cause = "missing-HMAC"; > >> >> + goto out; > >> >> + case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ > >> >> + cause = "invalid-HMAC"; > >> >> goto out; > >> >> } > >> >> + > >> >> switch (xattr_value->type) { > >> >> case IMA_XATTR_DIGEST_NG: > >> >> /* first byte contains algorithm id */ > >> >> @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func, > >> >> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, > >> >> op, cause, rc, 0); > >> >> } else if (status != INTEGRITY_PASS) { > >> >> + /* Fix mode, but don't replace file signatures. */ > >> >> if ((ima_appraise & IMA_APPRAISE_FIX) && > >> >> (!xattr_value || > >> >> xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { > >> >> if (!ima_fix_xattr(dentry, iint)) > >> >> status = INTEGRITY_PASS; > >> >> - } else if ((inode->i_size == 0) && > >> >> - (iint->flags & IMA_NEW_FILE) && > >> >> - (xattr_value && > >> >> - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { > >> >> + } > >> >> + > >> >> + /* Permit new files with file signatures, but without data. */ > >> >> + if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && > >> > > >> > This may be correct, but it's not identical to what you're replacing. > >> > Since in either case you're setting status to INTEGRITY_PASS the final > >> > result is the same, but with a few extra possible steps. Not sure > >> > whether that matters. > >> > >> Good point. I'll have to defer this one to Mimi though. > > > > The end result is the same, but add some needed comments. Yes, the same, but with a few extra possible steps, impacting performance, so I just wanted to call that out. -serge