lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1360871745-20616-5-git-send-email-vgoyal@redhat.com>
Date:	Thu, 14 Feb 2013 14:55:43 -0500
From:	Vivek Goyal <vgoyal@...hat.com>
To:	zohar@...ux.vnet.ibm.com, linux-security-module@...r.kernel.org
Cc:	vgoyal@...hat.com, linux-kernel@...r.kernel.org,
	dmitry.kasatkin@...el.com
Subject: [PATCH 4/6] ima: Introduce new integrity error code INTEGRITY_XATTR_NOTSUPP

Currently file system does not support xattr or security xattr are not
enabled, we return INTEGRITY_UNKNOWN. INTEGRITY_UNKNOWN is returned in
so many other conditions too, evm not initialized etc.

So far nobody cared but with appraise_type=optional, I need to
to differentiate between different error paths. For example, I want
to allow access to file when xattr are not enabled or specific security
attr is not enabled by file system. But I don't want to allow access
for all cases of INTEGRITY_UNKNOWN. For example,
if vfs_getxattr_alloc() returns -ENOMEM, then also INTEGRITY_UNKNOWN
will be returned and I don't think we want to allow access to file
in that case.

So to differentiate the errors where we can allow acccess to file,
introduce the new error code.

Signed-off-by: Vivek Goyal <vgoyal@...hat.com>
---
 include/linux/integrity.h             |    1 +
 security/integrity/ima/ima_appraise.c |    4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index 9be4a98..37074be 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -19,6 +19,7 @@ enum integrity_status {
 	INTEGRITY_EVM_NOLABEL,
 	INTEGRITY_NOXATTRS,
 	INTEGRITY_UNKNOWN,
+	INTEGRITY_XATTR_NOTSUPP,
 };
 
 /* List of EVM protected security xattrs */
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 1750556..af39a08 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -129,14 +129,14 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
 	if (!ima_appraise)
 		return 0;
 	if (!inode->i_op->getxattr)
-		return INTEGRITY_UNKNOWN;
+		return INTEGRITY_XATTR_NOTSUPP;
 
 	rc = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)&xattr_value,
 				0, GFP_NOFS);
 	if (rc <= 0) {
 		/* File system does not support security xattr */
 		if (rc == -EOPNOTSUPP)
-			return INTEGRITY_UNKNOWN;
+			return INTEGRITY_XATTR_NOTSUPP;
 
 		if (rc && rc != -ENODATA)
 			goto out;
-- 
1.7.7.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ