hulk inclusion category: feature feature: digest-lists
---------------------------
This patch changes the type of the IMA xattr to IMA_XATTR_DIGEST_NG. This would allow to pass EVM verification even if security.ima is not present. Metadata digest would be calculated as if the xattr in the disk was passed to EVM.
This patch also removes duplicate processing for digest-based xattr.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- security/integrity/ima/ima_appraise.c | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 2f77f086df36..bd00611b3cec 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -265,30 +265,18 @@ int ima_appraise_measurement(enum ima_hooks func, goto out; }
- switch (xattr_value->type) { - case EVM_IMA_XATTR_DIGEST_LIST: + if (found_digest && status != INTEGRITY_PASS && + status != INTEGRITY_PASS_IMMUTABLE) set_bit(IMA_DIGEST_LIST, &iint->atomic_flags);
- if (found_digest) { - if (!ima_digest_is_immutable(found_digest)) { - if (iint->flags & IMA_DIGSIG_REQUIRED) { - cause = "IMA-signature-required"; - status = INTEGRITY_FAIL; - break; - } - clear_bit(IMA_DIGSIG, &iint->atomic_flags); - } else { - set_bit(IMA_DIGSIG, &iint->atomic_flags); - } - - status = INTEGRITY_PASS; - break; - } + switch (xattr_value->type) { + case EVM_IMA_XATTR_DIGEST_LIST: if (!ima_appraise_no_metadata) { cause = "IMA-xattr-untrusted"; status = INTEGRITY_FAIL; break; } + set_bit(IMA_DIGEST_LIST, &iint->atomic_flags); /* fall through */ case IMA_XATTR_DIGEST_NG: /* first byte contains algorithm id */ @@ -300,7 +288,8 @@ int ima_appraise_measurement(enum ima_hooks func, status = INTEGRITY_FAIL; break; } - if (status != INTEGRITY_PASS_IMMUTABLE) { + if (status != INTEGRITY_PASS_IMMUTABLE && + (!found_digest || !ima_digest_is_immutable(found_digest))) { if (iint->flags & IMA_DIGSIG_REQUIRED) { cause = "IMA-signature-required"; status = INTEGRITY_FAIL;