lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1412007271.3508.46.camel@dhcp-9-2-203-236.watson.ibm.com>
Date:	Mon, 29 Sep 2014 12:14:31 -0400
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	linux-ima-devel@...ts.sourceforge.net, dmitry.kasatkin@...il.com,
	linux-kernel <linux-kernel@...r.kernel.org>,
	Joe Perches <joe@...ches.com>,
	Andy Whitcroft <apw@...onical.com>,
	Greg KH <gregkh@...uxfoundation.org>
Subject: Re: [PATCH 1/4] evm: skip replacing EVM signature with HMAC on
 read-only filesystem

On Wed, 2014-09-24 at 15:07 +0300, Dmitry Kasatkin wrote: 
> If filesystem is mounted read-only or file is immutable, updating
> xattr will fail. This is a usual case during early boot until
> filesystem is remount read-write. This patch verifies conditions
> to skip unnecessary attempt to calculate HMAC and set xattr.
> 
> Signed-off-by: Dmitry Kasatkin <d.kasatkin@...sung.com>
> ---
>  security/integrity/evm/evm_main.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 9685af3..a30be77 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -162,9 +162,14 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
>  					(const char *)xattr_data, xattr_len,
>  					calc.digest, sizeof(calc.digest));
>  		if (!rc) {
> -			/* we probably want to replace rsa with hmac here */
> -			evm_update_evmxattr(dentry, xattr_name, xattr_value,
> -				   xattr_value_len);
> +			/* Replace RSA with HMAC if not mounted readonly and
> +			 * not immutable
> +			 */
> +			if (!IS_RDONLY(dentry->d_inode) &&
> +					!IS_IMMUTABLE(dentry->d_inode))

Previously patches conformed to Lindent, unless there was a valid reason
not to use it, like conflicting with checkpatch.pl.  Joe Perches
submitted a patch to remove it from the Documentation/CodingStyle a
while ago -  https://lkml.org/lkml/2013/2/11/390 and recommends using
"checkpatch.pl --fix" instead.

Andrew, Greg, what is the current best practice?

thanks,

Mimi

> +				evm_update_evmxattr(dentry, xattr_name,
> +						    xattr_value,
> +						    xattr_value_len);
>  		}
>  		break;
>  	default:


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ