Commit b075361e authored by James Morris's avatar James Morris

Merge branch 'next' of...

Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
parents 636e4625 b4bfec7f
...@@ -32,8 +32,6 @@ Usage: ...@@ -32,8 +32,6 @@ Usage:
(40 ascii zeros) (40 ascii zeros)
blobauth= ascii hex auth for sealed data default 0x00... blobauth= ascii hex auth for sealed data default 0x00...
(40 ascii zeros) (40 ascii zeros)
blobauth= ascii hex auth for sealed data default 0x00...
(40 ascii zeros)
pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default) pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
pcrlock= pcr number to be extended to "lock" blob pcrlock= pcr number to be extended to "lock" blob
migratable= 0|1 indicating permission to reseal to new PCR values, migratable= 0|1 indicating permission to reseal to new PCR values,
......
...@@ -51,7 +51,7 @@ static bool init_keyring __initdata; ...@@ -51,7 +51,7 @@ static bool init_keyring __initdata;
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen) const char *digest, int digestlen)
{ {
if (id >= INTEGRITY_KEYRING_MAX) if (id >= INTEGRITY_KEYRING_MAX || siglen < 2)
return -EINVAL; return -EINVAL;
if (!keyring[id]) { if (!keyring[id]) {
......
...@@ -145,6 +145,10 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, ...@@ -145,6 +145,10 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
/* check value type */ /* check value type */
switch (xattr_data->type) { switch (xattr_data->type) {
case EVM_XATTR_HMAC: case EVM_XATTR_HMAC:
if (xattr_len != sizeof(struct evm_ima_xattr_data)) {
evm_status = INTEGRITY_FAIL;
goto out;
}
rc = evm_calc_hmac(dentry, xattr_name, xattr_value, rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
xattr_value_len, calc.digest); xattr_value_len, calc.digest);
if (rc) if (rc)
......
...@@ -130,6 +130,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, ...@@ -130,6 +130,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
int xattr_len) int xattr_len)
{ {
struct signature_v2_hdr *sig; struct signature_v2_hdr *sig;
enum hash_algo ret;
if (!xattr_value || xattr_len < 2) if (!xattr_value || xattr_len < 2)
/* return default hash algo */ /* return default hash algo */
...@@ -143,7 +144,9 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, ...@@ -143,7 +144,9 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
return sig->hash_algo; return sig->hash_algo;
break; break;
case IMA_XATTR_DIGEST_NG: case IMA_XATTR_DIGEST_NG:
return xattr_value->digest[0]; ret = xattr_value->digest[0];
if (ret < HASH_ALGO__LAST)
return ret;
break; break;
case IMA_XATTR_DIGEST: case IMA_XATTR_DIGEST:
/* this is for backward compatibility */ /* this is for backward compatibility */
...@@ -384,14 +387,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, ...@@ -384,14 +387,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
result = ima_protect_xattr(dentry, xattr_name, xattr_value, result = ima_protect_xattr(dentry, xattr_name, xattr_value,
xattr_value_len); xattr_value_len);
if (result == 1) { if (result == 1) {
bool digsig;
if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
return -EINVAL; return -EINVAL;
digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); ima_reset_appraise_flags(d_backing_inode(dentry),
if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
return -EPERM;
ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
result = 0; result = 0;
} }
return result; return result;
......
...@@ -401,7 +401,7 @@ static int ima_release_policy(struct inode *inode, struct file *file) ...@@ -401,7 +401,7 @@ static int ima_release_policy(struct inode *inode, struct file *file)
const char *cause = valid_policy ? "completed" : "failed"; const char *cause = valid_policy ? "completed" : "failed";
if ((file->f_flags & O_ACCMODE) == O_RDONLY) if ((file->f_flags & O_ACCMODE) == O_RDONLY)
return 0; return seq_release(inode, file);
if (valid_policy && ima_check_policy() < 0) { if (valid_policy && ima_check_policy() < 0) {
cause = "failed"; cause = "failed";
......
...@@ -115,7 +115,8 @@ int __init ima_init(void) ...@@ -115,7 +115,8 @@ int __init ima_init(void)
ima_used_chip = 1; ima_used_chip = 1;
if (!ima_used_chip) if (!ima_used_chip)
pr_info("No TPM chip found, activating TPM-bypass!\n"); pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n",
rc);
rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA); rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
if (rc) if (rc)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment