evm: prevent passing integrity check if xattr read fails

This patch fixes a bug, where evm_verify_hmac() returns INTEGRITY_PASS if inode->i_op->getxattr() returns an error in evm_find_protected_xattrs. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>

evm: prevent passing integrity check if xattr read fails
This patch fixes a bug, where evm_verify_hmac() returns INTEGRITY_PASS if inode->i_op->getxattr() returns an error in evm_find_protected_xattrs. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
1f100979 · Dmitry Kasatkin · Mimi Zohar · e7d021e2 · 1f100979
Commit 1f100979 authored Aug 15, 2014 by Dmitry Kasatkin Committed by Mimi Zohar Sep 08, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

security/integrity/evm/evm_main.c security/integrity/evm/evm_main.c +4 -3

No files found.
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -126,14 +126,15 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 	rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
 				GFP_NOFS);
 	if (rc <= 0) {
-		if (rc == 0)
+		evm_status = INTEGRITY_FAIL;
-			evm_status = INTEGRITY_FAIL; /* empty */
+		if (rc == -ENODATA) {
-		else if (rc == -ENODATA) {
 			rc = evm_find_protected_xattrs(dentry);
 			if (rc > 0)
 				evm_status = INTEGRITY_NOLABEL;
 			else if (rc == 0)
 				evm_status = INTEGRITY_NOXATTRS; /* new file */
+		} else if (rc == -EOPNOTSUPP) {
+			evm_status = INTEGRITY_UNKNOWN;
 		}
 		goto out;
 	}