| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Sep 2014 12:35:29 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
linux-ima-devel@...ts.sourceforge.net, dmitry.kasatkin@...il.com,
linux-kernel <linux-kernel@...r.kernel.org>,
Joe Perches <joe@...ches.com>,
Andy Whitcroft <apw@...onical.com>
Subject: Re: [PATCH 1/4] evm: skip replacing EVM signature with HMAC on
read-only filesystem
On Mon, 2014-09-29 at 12:23 -0400, Greg KH wrote:
> On Mon, Sep 29, 2014 at 12:14:31PM -0400, Mimi Zohar wrote:
> > On Wed, 2014-09-24 at 15:07 +0300, Dmitry Kasatkin wrote:
> > > If filesystem is mounted read-only or file is immutable, updating
> > > xattr will fail. This is a usual case during early boot until
> > > filesystem is remount read-write. This patch verifies conditions
> > > to skip unnecessary attempt to calculate HMAC and set xattr.
> > >
> > > Signed-off-by: Dmitry Kasatkin <d.kasatkin@...sung.com>
> > > ---
> > > security/integrity/evm/evm_main.c | 11 ++++++++---
> > > 1 file changed, 8 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> > > index 9685af3..a30be77 100644
> > > --- a/security/integrity/evm/evm_main.c
> > > +++ b/security/integrity/evm/evm_main.c
> > > @@ -162,9 +162,14 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > > (const char *)xattr_data, xattr_len,
> > > calc.digest, sizeof(calc.digest));
> > > if (!rc) {
> > > - /* we probably want to replace rsa with hmac here */
> > > - evm_update_evmxattr(dentry, xattr_name, xattr_value,
> > > - xattr_value_len);
> > > + /* Replace RSA with HMAC if not mounted readonly and
> > > + * not immutable
> > > + */
> > > + if (!IS_RDONLY(dentry->d_inode) &&
> > > + !IS_IMMUTABLE(dentry->d_inode))
> >
> > Previously patches conformed to Lindent, unless there was a valid reason
> > not to use it, like conflicting with checkpatch.pl. Joe Perches
> > submitted a patch to remove it from the Documentation/CodingStyle a
> > while ago - https://lkml.org/lkml/2013/2/11/390 and recommends using
> > "checkpatch.pl --fix" instead.
> >
> > Andrew, Greg, what is the current best practice?
>
> I don't understand, what is wrong with the formatting of this patch? It
> looks ok to me. If you want to indent the second line of the if to the
> left some more, that's fine, but just minor nits, nothing major at all.
Right, scripts/Lindent is only about formatting, nothing major.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists