Received: by 10.213.65.68 with SMTP id h4csp404051imn;
        Sat, 17 Mar 2018 08:12:03 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtG9qL4GA4A/1853HOzClHTsJhtEdZVXfohc+Osj+52N2z/Tpc4BZUo+Jm4lt9pl2oqp9ou
X-Received: by 10.99.146.66 with SMTP id s2mr4604334pgn.372.1521299523218;
        Sat, 17 Mar 2018 08:12:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521299523; cv=none;
        d=google.com; s=arc-20160816;
        b=AwxJeJiwWhw2lLipPL+t7UU7EsKFQ8PEiqZqcXHeN/9z0LBIDh5sDDuDfvtFkKaYQd
         23zYLiwFCqXv82mF/hLctsHKFw8UFApVTAtvlA0LihgbutwMx9ezWfJePfrCZthO3q0V
         Gwl6qxA0AZKdssflUhxBe/0w+3W2hSfuQOkQ/hXCDrdkzx/HgyHArRvmfyBQQ7TGO8ob
         aTJdaZ/Ycrobg6JaXxFy0u0E+Ch75G34fpJ28oWaDlfxugEN73+N3RvNVnpxHBcm6Geh
         qYj04300CUlUSBxDymeup68s28ijBYtXMByWCQFJHf4IuBqcSX9VhFNcX/fI9rx3Rdt4
         WQjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=2vrzyH607YkTyg/QKvQlsTTiXKFWyZ/An7FOb9K/E7Q=;
        b=fTBwtPE2nQ888krjTXI/TOdqHcD6u+o50gnIvVzF2l5TGvWlJQPZwb8oDF+m9mv3tc
         343YuHo743oKfpSCZJyLCdoHEUD5Y3nWyYqKjHyEmu6h+XfzuJstbTlx1uSowBaXa2aR
         agnUJ2nvlvBK+K85ulEoju6Z/jJUbwJLsf8mFivOX9xEPx2D1tLWQS1uUmeVX1w+J/uX
         gmNaNaqa7+Z3cuLH5fONDpWyw/2Du0OA4g/WJF2ToZT3JsvEkGQYeOfhFzDKebUrClhS
         3nU6ZmC/XohdCMDSK4hDF4fDea1H8zbbxBT7FJKTulnKs6Fc5fAi1wCZrqDF4Atj2Qm2
         ZKeQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f15-v6si928400plr.454.2018.03.17.08.11.48;
        Sat, 17 Mar 2018 08:12:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752930AbeCQPJs (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Sat, 17 Mar 2018 11:09:48 -0400
Received: from h2.hallyn.com ([78.46.35.8]:59750 "EHLO mail.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751743AbeCQPJn (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 17 Mar 2018 11:09:43 -0400
Received: by mail.hallyn.com (Postfix, from userid 1001)
        id 2B17E1205E7; Sat, 17 Mar 2018 10:09:42 -0500 (CDT)
Date:   Sat, 17 Mar 2018 10:09:42 -0500
From:   "Serge E. Hallyn" <serge@hallyn.com>
To:     Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Cc:     Mimi Zohar <zohar@linux.vnet.ibm.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, James Morris <jmorris@namei.org>,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [PATCH 3/4] ima: Improvements in ima_appraise_measurement()
Message-ID: <20180317150942.GA10607@mail.hallyn.com>
References: <20180314202020.3794-1-bauerman@linux.vnet.ibm.com>
 <20180314202020.3794-4-bauerman@linux.vnet.ibm.com>
 <20180314214045.GC14289@mail.hallyn.com>
 <87efkmjjc7.fsf@morokweng.localdomain>
 <1521141514.3547.637.camel@linux.vnet.ibm.com>
 <874llhoz89.fsf@morokweng.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <874llhoz89.fsf@morokweng.localdomain>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com):
> 
> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> > On Wed, 2018-03-14 at 21:03 -0300, Thiago Jung Bauermann wrote:
> >> Hello Serge,
> >> 
> >> Thanks for quickly reviewing these patches!
> >> 
> >> Serge E. Hallyn <serge@hallyn.com> writes:
> >> 
> >> > Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com):
> >> >> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >> >> @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >> >>  	}
> >> >>  
> >> >>  	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
> >> >> -	if ((status != INTEGRITY_PASS) &&
> >> >> -	    (status != INTEGRITY_PASS_IMMUTABLE) &&
> >> >> -	    (status != INTEGRITY_UNKNOWN)) {
> >> >> -		if ((status == INTEGRITY_NOLABEL)
> >> >> -		    || (status == INTEGRITY_NOXATTRS))
> >> >> -			cause = "missing-HMAC";
> >> >> -		else if (status == INTEGRITY_FAIL)
> >> >> -			cause = "invalid-HMAC";
> >> >> +	switch (status) {
> >> >> +	case INTEGRITY_PASS:
> >> >> +	case INTEGRITY_PASS_IMMUTABLE:
> >> >> +	case INTEGRITY_UNKNOWN:
> >> >
> >> > Wouldn't it be more future-proof to replace this with a 'default', or
> >> > to at least add a "default: BUG()" to catch new status values?
> >> 
> >> I agree. I like the "default: BUG()" option.
> >
> > Agreed. I would put it at the end after INTEGRITY_FAIL.
> 
> Ok, what about the version below?

Since the status is returned by evm, it seems like an actual BUG() is
appropriate, but ok.

Acked-by: Serge Hallyn <serge@hallyn.com>

> 
> >> 
> >> >> +		break;
> >> >> +	case INTEGRITY_NOXATTRS:	/* No EVM protected xattrs. */
> >> >> +	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */
> >> >> +		cause = "missing-HMAC";
> >> >> +		goto out;
> >> >> +	case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */
> >> >> +		cause = "invalid-HMAC";
> >> >>  		goto out;
> >> >>  	}
> >> >> +
> >> >>  	switch (xattr_value->type) {
> >> >>  	case IMA_XATTR_DIGEST_NG:
> >> >>  		/* first byte contains algorithm id */
> >> >> @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >> >>  		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> >> >>  				    op, cause, rc, 0);
> >> >>  	} else if (status != INTEGRITY_PASS) {
> >> >> +		/* Fix mode, but don't replace file signatures. */
> >> >>  		if ((ima_appraise & IMA_APPRAISE_FIX) &&
> >> >>  		    (!xattr_value ||
> >> >>  		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
> >> >>  			if (!ima_fix_xattr(dentry, iint))
> >> >>  				status = INTEGRITY_PASS;
> >> >> -		} else if ((inode->i_size == 0) &&
> >> >> -			   (iint->flags & IMA_NEW_FILE) &&
> >> >> -			   (xattr_value &&
> >> >> -			    xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
> >> >> +		}
> >> >> +
> >> >> +		/* Permit new files with file signatures, but without data. */
> >> >> +		if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
> >> >
> >> > This may be correct, but it's not identical to what you're replacing.
> >> > Since in either case you're setting status to INTEGRITY_PASS the final
> >> > result is the same, but with a few extra possible steps.  Not sure
> >> > whether that matters.
> >> 
> >> Good point. I'll have to defer this one to Mimi though.
> >
> > The end result is the same, but add some needed comments.

Yes, the same, but with a few extra possible steps, impacting performance,
so I just wanted to call that out.

-serge