Commit 650b29db authored by Thiago Jung Bauermann's avatar Thiago Jung Bauermann Committed by Mimi Zohar

integrity: Introduce struct evm_xattr

Even though struct evm_ima_xattr_data includes a fixed-size array to hold a
SHA1 digest, most of the code ignores the array and uses the struct to mean
"type indicator followed by data of unspecified size" and tracks the real
size of what the struct represents in a separate length variable.

The only exception to that is the EVM code, which correctly uses the
definition of struct evm_ima_xattr_data.

So make this explicit in the code by removing the length specification from
the array in struct evm_ima_xattr_data. Also, change the name of the
element from digest to data since in most places the array doesn't hold a
digest.

A separate struct evm_xattr is introduced, with the original definition of
evm_ima_xattr_data to be used in the places that actually expect that
definition, specifically the EVM HMAC code.
Signed-off-by: default avatarThiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 337619eb
...@@ -169,7 +169,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, ...@@ -169,7 +169,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
/* check value type */ /* check value type */
switch (xattr_data->type) { switch (xattr_data->type) {
case EVM_XATTR_HMAC: case EVM_XATTR_HMAC:
if (xattr_len != sizeof(struct evm_ima_xattr_data)) { if (xattr_len != sizeof(struct evm_xattr)) {
evm_status = INTEGRITY_FAIL; evm_status = INTEGRITY_FAIL;
goto out; goto out;
} }
...@@ -179,7 +179,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, ...@@ -179,7 +179,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
xattr_value_len, &digest); xattr_value_len, &digest);
if (rc) if (rc)
break; break;
rc = crypto_memneq(xattr_data->digest, digest.digest, rc = crypto_memneq(xattr_data->data, digest.digest,
SHA1_DIGEST_SIZE); SHA1_DIGEST_SIZE);
if (rc) if (rc)
rc = -EINVAL; rc = -EINVAL;
...@@ -523,7 +523,7 @@ int evm_inode_init_security(struct inode *inode, ...@@ -523,7 +523,7 @@ int evm_inode_init_security(struct inode *inode,
const struct xattr *lsm_xattr, const struct xattr *lsm_xattr,
struct xattr *evm_xattr) struct xattr *evm_xattr)
{ {
struct evm_ima_xattr_data *xattr_data; struct evm_xattr *xattr_data;
int rc; int rc;
if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
...@@ -533,7 +533,7 @@ int evm_inode_init_security(struct inode *inode, ...@@ -533,7 +533,7 @@ int evm_inode_init_security(struct inode *inode,
if (!xattr_data) if (!xattr_data)
return -ENOMEM; return -ENOMEM;
xattr_data->type = EVM_XATTR_HMAC; xattr_data->data.type = EVM_XATTR_HMAC;
rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
if (rc < 0) if (rc < 0)
goto out; goto out;
......
...@@ -168,7 +168,8 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, ...@@ -168,7 +168,8 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
return sig->hash_algo; return sig->hash_algo;
break; break;
case IMA_XATTR_DIGEST_NG: case IMA_XATTR_DIGEST_NG:
ret = xattr_value->digest[0]; /* first byte contains algorithm id */
ret = xattr_value->data[0];
if (ret < HASH_ALGO__LAST) if (ret < HASH_ALGO__LAST)
return ret; return ret;
break; break;
...@@ -176,7 +177,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, ...@@ -176,7 +177,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
/* this is for backward compatibility */ /* this is for backward compatibility */
if (xattr_len == 21) { if (xattr_len == 21) {
unsigned int zero = 0; unsigned int zero = 0;
if (!memcmp(&xattr_value->digest[16], &zero, 4)) if (!memcmp(&xattr_value->data[16], &zero, 4))
return HASH_ALGO_MD5; return HASH_ALGO_MD5;
else else
return HASH_ALGO_SHA1; return HASH_ALGO_SHA1;
...@@ -275,7 +276,7 @@ int ima_appraise_measurement(enum ima_hooks func, ...@@ -275,7 +276,7 @@ int ima_appraise_measurement(enum ima_hooks func,
/* xattr length may be longer. md5 hash in previous /* xattr length may be longer. md5 hash in previous
version occupied 20 bytes in xattr, instead of 16 version occupied 20 bytes in xattr, instead of 16
*/ */
rc = memcmp(&xattr_value->digest[hash_start], rc = memcmp(&xattr_value->data[hash_start],
iint->ima_hash->digest, iint->ima_hash->digest,
iint->ima_hash->length); iint->ima_hash->length);
else else
......
...@@ -79,6 +79,12 @@ enum evm_ima_xattr_type { ...@@ -79,6 +79,12 @@ enum evm_ima_xattr_type {
struct evm_ima_xattr_data { struct evm_ima_xattr_data {
u8 type; u8 type;
u8 data[];
} __packed;
/* Only used in the EVM HMAC code. */
struct evm_xattr {
struct evm_ima_xattr_data data;
u8 digest[SHA1_DIGEST_SIZE]; u8 digest[SHA1_DIGEST_SIZE];
} __packed; } __packed;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment