Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
This commit is contained in:
commit
b075361e91
|
@ -32,8 +32,6 @@ Usage:
|
|||
(40 ascii zeros)
|
||||
blobauth= ascii hex auth for sealed data default 0x00...
|
||||
(40 ascii zeros)
|
||||
blobauth= ascii hex auth for sealed data default 0x00...
|
||||
(40 ascii zeros)
|
||||
pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
|
||||
pcrlock= pcr number to be extended to "lock" blob
|
||||
migratable= 0|1 indicating permission to reseal to new PCR values,
|
||||
|
|
|
@ -51,7 +51,7 @@ static bool init_keyring __initdata;
|
|||
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
||||
const char *digest, int digestlen)
|
||||
{
|
||||
if (id >= INTEGRITY_KEYRING_MAX)
|
||||
if (id >= INTEGRITY_KEYRING_MAX || siglen < 2)
|
||||
return -EINVAL;
|
||||
|
||||
if (!keyring[id]) {
|
||||
|
|
|
@ -145,6 +145,10 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
|
|||
/* check value type */
|
||||
switch (xattr_data->type) {
|
||||
case EVM_XATTR_HMAC:
|
||||
if (xattr_len != sizeof(struct evm_ima_xattr_data)) {
|
||||
evm_status = INTEGRITY_FAIL;
|
||||
goto out;
|
||||
}
|
||||
rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
|
||||
xattr_value_len, calc.digest);
|
||||
if (rc)
|
||||
|
|
|
@ -130,6 +130,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
|
|||
int xattr_len)
|
||||
{
|
||||
struct signature_v2_hdr *sig;
|
||||
enum hash_algo ret;
|
||||
|
||||
if (!xattr_value || xattr_len < 2)
|
||||
/* return default hash algo */
|
||||
|
@ -143,7 +144,9 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
|
|||
return sig->hash_algo;
|
||||
break;
|
||||
case IMA_XATTR_DIGEST_NG:
|
||||
return xattr_value->digest[0];
|
||||
ret = xattr_value->digest[0];
|
||||
if (ret < HASH_ALGO__LAST)
|
||||
return ret;
|
||||
break;
|
||||
case IMA_XATTR_DIGEST:
|
||||
/* this is for backward compatibility */
|
||||
|
@ -384,14 +387,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
|
|||
result = ima_protect_xattr(dentry, xattr_name, xattr_value,
|
||||
xattr_value_len);
|
||||
if (result == 1) {
|
||||
bool digsig;
|
||||
|
||||
if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
|
||||
return -EINVAL;
|
||||
digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
|
||||
if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
|
||||
return -EPERM;
|
||||
ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
|
||||
ima_reset_appraise_flags(d_backing_inode(dentry),
|
||||
(xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
|
||||
result = 0;
|
||||
}
|
||||
return result;
|
||||
|
|
|
@ -401,7 +401,7 @@ static int ima_release_policy(struct inode *inode, struct file *file)
|
|||
const char *cause = valid_policy ? "completed" : "failed";
|
||||
|
||||
if ((file->f_flags & O_ACCMODE) == O_RDONLY)
|
||||
return 0;
|
||||
return seq_release(inode, file);
|
||||
|
||||
if (valid_policy && ima_check_policy() < 0) {
|
||||
cause = "failed";
|
||||
|
|
|
@ -115,7 +115,8 @@ int __init ima_init(void)
|
|||
ima_used_chip = 1;
|
||||
|
||||
if (!ima_used_chip)
|
||||
pr_info("No TPM chip found, activating TPM-bypass!\n");
|
||||
pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n",
|
||||
rc);
|
||||
|
||||
rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
|
||||
if (rc)
|
||||
|
|
Loading…
Reference in New Issue