Return-Path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52412 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725977AbeKQGWu (ORCPT ); Sat, 17 Nov 2018 01:22:50 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wAGK8wGW047044 for ; Fri, 16 Nov 2018 15:09:01 -0500 Received: from e16.ny.us.ibm.com (e16.ny.us.ibm.com [129.33.205.206]) by mx0a-001b2d01.pphosted.com with ESMTP id 2nt38yu5e2-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 16 Nov 2018 15:09:01 -0500 Received: from localhost by e16.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 16 Nov 2018 20:09:00 -0000 From: Thiago Jung Bauermann To: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar , Dmitry Kasatkin , James Morris , "Serge E. Hallyn" , David Howells , David Woodhouse , Jessica Yu , Herbert Xu , "David S. Miller" , Jonathan Corbet , "AKASHI, Takahiro" , Thiago Jung Bauermann Subject: [PATCH v8 08/14] ima: Introduce is_signed() Date: Fri, 16 Nov 2018 18:07:06 -0200 In-Reply-To: <20181116200712.14154-1-bauerman@linux.ibm.com> References: <20181116200712.14154-1-bauerman@linux.ibm.com> Message-Id: <20181116200712.14154-9-bauerman@linux.ibm.com> Sender: linux-crypto-owner@vger.kernel.org List-ID: With the introduction of another IMA signature type (modsig), some places will need to check for both of them. It is cleaner to do that if there's a helper function to tell whether an xattr_value represents an IMA signature. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h | 5 +++++ security/integrity/ima/ima_appraise.c | 7 +++---- security/integrity/ima/ima_template_lib.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..e4f72b30cb28 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -154,6 +154,11 @@ unsigned long ima_get_binary_runtime_size(void); int ima_init_template(void); void ima_init_template_list(void); +static inline bool is_signed(const struct evm_ima_xattr_data *xattr_value) +{ + return xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG; +} + /* * used to protect h_table and sha_table */ diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 8bcef90939f8..c6459408e6b2 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -325,15 +325,14 @@ int ima_appraise_measurement(enum ima_hooks func, } else if (status != INTEGRITY_PASS) { /* Fix mode, but don't replace file signatures. */ if ((ima_appraise & IMA_APPRAISE_FIX) && - (!xattr_value || - xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { + !is_signed(xattr_value)) { if (!ima_fix_xattr(dentry, iint)) status = INTEGRITY_PASS; } /* Permit new files with file signatures, but without data. */ if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && - xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) { + is_signed(xattr_value)) { status = INTEGRITY_PASS; } @@ -448,7 +447,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) return -EINVAL; ima_reset_appraise_flags(d_backing_inode(dentry), - xvalue->type == EVM_IMA_XATTR_DIGSIG); + is_signed(xvalue)); result = 0; } return result; diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 43752002c222..300912914b17 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -382,7 +382,7 @@ int ima_eventsig_init(struct ima_event_data *event_data, { struct evm_ima_xattr_data *xattr_value = event_data->xattr_value; - if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG)) + if (!is_signed(xattr_value)) return 0; return ima_write_template_field_data(xattr_value, event_data->xattr_len,