Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp904237imu; Fri, 16 Nov 2018 12:10:27 -0800 (PST) X-Google-Smtp-Source: AJdET5fEHqsoCvwo1W0sxFlB0Kyg3iC4dXbJmZIgLcqzsMIxevAoYJKxO07JU9vYFn0IEhlmDqjF X-Received: by 2002:a17:902:b092:: with SMTP id p18-v6mr12280682plr.190.1542399027591; Fri, 16 Nov 2018 12:10:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542399027; cv=none; d=google.com; s=arc-20160816; b=dcip+BZ/xHpDyLesN5Z6fpQgVTC9vRvxZdiWBdpUbKfyzAADxQLWFUutyTXmtLOseD ltraNsude67jXEv3UdVT/dQ2seJiTXs287ccx3SA8xZdNJUmzWmwkggGa1fAKCogD+Sj Ze/BRTE11cc93IHvVPZOo70A8rMvWiUF2L4Cs7+7RGcWB84IhvlJaNEteeuLHpEQ18Kc jdnsU3y8V2IU1ho0okvsYhmBvsD6Tvy1XznnyVkxANM57Jbjpj4/YURHNZCo/O8TavcE QSD9xg4iWXEQcnm6UFEmBnlxezjgk4T52gUsfHH5914Sr+sOphmXO5C5J/FWzwKCrDuK ZXWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from; bh=T2+Nw9UeIVWN8XQmdnxYdPKMdy4vKPZUiAks4GSNcjk=; b=foAbiKOFl2xtK9n8BANPBBxH9BJQUds04HcakYOjY54YPkSD6IohhoMjGd7gtItjWV Nr+psb2CN/CKlGvcgoZYsCADwBDsOqYVYO4iBOjQJ19LTBS6Kk7YzX8mNvpifBhK8G0d s2pyAbCuKYfEaaTlcIruIw7DlYZRLvPWijrYyWOnq+I0B8m+mpTAjqElZmwSqHwJ0l4i WB6hcKlKRcgKWTITUYveEwJcA3zmGSgvceWNFRQVkd0uBhdi75j9ZEWDzkIgzWqzdJAm Vyp9bN60RawjWlDDD2xCSdpruDZdRTbuAhKpC8Wwg9cr0ea595AkNUcjGn+r74mRJGOv pmIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o6-v6si31963422plh.197.2018.11.16.12.10.13; Fri, 16 Nov 2018 12:10:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729693AbeKQGWy (ORCPT + 99 others); Sat, 17 Nov 2018 01:22:54 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:53490 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725977AbeKQGWy (ORCPT ); Sat, 17 Nov 2018 01:22:54 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wAGK94W6138594 for ; Fri, 16 Nov 2018 15:09:05 -0500 Received: from e16.ny.us.ibm.com (e16.ny.us.ibm.com [129.33.205.206]) by mx0a-001b2d01.pphosted.com with ESMTP id 2nt2nemrrw-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 16 Nov 2018 15:09:05 -0500 Received: from localhost by e16.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 16 Nov 2018 20:09:00 -0000 Received: from b01cxnp22036.gho.pok.ibm.com (9.57.198.26) by e16.ny.us.ibm.com (146.89.104.203) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Fri, 16 Nov 2018 20:08:54 -0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id wAGK8r2r36438158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 16 Nov 2018 20:08:53 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 22BACAC05B; Fri, 16 Nov 2018 20:08:53 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2387AAC05E; Fri, 16 Nov 2018 20:08:49 +0000 (GMT) Received: from morokweng.localdomain.com (unknown [9.80.224.199]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP; Fri, 16 Nov 2018 20:08:48 +0000 (GMT) From: Thiago Jung Bauermann To: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar , Dmitry Kasatkin , James Morris , "Serge E. Hallyn" , David Howells , David Woodhouse , Jessica Yu , Herbert Xu , "David S. Miller" , Jonathan Corbet , "AKASHI, Takahiro" , Thiago Jung Bauermann Subject: [PATCH v8 08/14] ima: Introduce is_signed() Date: Fri, 16 Nov 2018 18:07:06 -0200 X-Mailer: git-send-email 2.17.2 In-Reply-To: <20181116200712.14154-1-bauerman@linux.ibm.com> References: <20181116200712.14154-1-bauerman@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18111620-0072-0000-0000-000003CA291C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010063; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000270; SDB=6.01118417; UDB=6.00577118; IPR=6.00898526; MB=3.00024197; MTD=3.00000008; XFM=3.00000015; UTC=2018-11-16 20:08:58 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18111620-0073-0000-0000-00004A21827F Message-Id: <20181116200712.14154-9-bauerman@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-11-16_11:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1811160179 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org With the introduction of another IMA signature type (modsig), some places will need to check for both of them. It is cleaner to do that if there's a helper function to tell whether an xattr_value represents an IMA signature. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h | 5 +++++ security/integrity/ima/ima_appraise.c | 7 +++---- security/integrity/ima/ima_template_lib.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..e4f72b30cb28 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -154,6 +154,11 @@ unsigned long ima_get_binary_runtime_size(void); int ima_init_template(void); void ima_init_template_list(void); +static inline bool is_signed(const struct evm_ima_xattr_data *xattr_value) +{ + return xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG; +} + /* * used to protect h_table and sha_table */ diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 8bcef90939f8..c6459408e6b2 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -325,15 +325,14 @@ int ima_appraise_measurement(enum ima_hooks func, } else if (status != INTEGRITY_PASS) { /* Fix mode, but don't replace file signatures. */ if ((ima_appraise & IMA_APPRAISE_FIX) && - (!xattr_value || - xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { + !is_signed(xattr_value)) { if (!ima_fix_xattr(dentry, iint)) status = INTEGRITY_PASS; } /* Permit new files with file signatures, but without data. */ if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && - xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) { + is_signed(xattr_value)) { status = INTEGRITY_PASS; } @@ -448,7 +447,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) return -EINVAL; ima_reset_appraise_flags(d_backing_inode(dentry), - xvalue->type == EVM_IMA_XATTR_DIGSIG); + is_signed(xvalue)); result = 0; } return result; diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 43752002c222..300912914b17 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -382,7 +382,7 @@ int ima_eventsig_init(struct ima_event_data *event_data, { struct evm_ima_xattr_data *xattr_value = event_data->xattr_value; - if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG)) + if (!is_signed(xattr_value)) return 0; return ima_write_template_field_data(xattr_value, event_data->xattr_len,