Re: [RFC PATCH v2 01/11] ima: separate 'security.ima' reading functionality from collect
On Tue, 2016-01-19 at 22:00 +0200, Dmitry Kasatkin wrote: > Hi Mimi, > > Please change > > Signed-off-by: Dmitry KasatkinI'll make the change here and in the other patches as well. Mimi ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [RFC PATCH v2 01/11] ima: separate 'security.ima' reading functionality from collect
On Thu, Jan 21, 2016 at 3:19 PM, Mimi Zoharwrote: > On Tue, 2016-01-19 at 22:00 +0200, Dmitry Kasatkin wrote: >> Hi Mimi, >> >> Please change >> >> Signed-off-by: Dmitry Kasatkin > > I'll make the change here and in the other patches as well. > > Mimi > Thanks. -- Thanks, Dmitry ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [RFC PATCH v2 01/11] ima: separate 'security.ima' reading functionality from collect
Hi Mimi, Please change Signed-off-by: Dmitry KasatkinThanks Dmitry On Mon, Jan 18, 2016 at 5:11 PM, Mimi Zohar wrote: > From: Dmitry Kasatkin > > Instead of passing pointers to pointers to ima_collect_measurent() to > read and return the 'security.ima' xattr value, this patch moves the > functionality to the calling process_measurement() to directly read > the xattr and pass only the hash algo to the ima_collect_measurement(). > > Signed-off-by: Dmitry Kasatkin > Signed-off-by: Mimi Zohar > --- > security/integrity/ima/ima.h | 15 +++ > security/integrity/ima/ima_api.c | 15 +++ > security/integrity/ima/ima_appraise.c | 25 ++--- > security/integrity/ima/ima_crypto.c | 2 +- > security/integrity/ima/ima_init.c | 2 +- > security/integrity/ima/ima_main.c | 11 +++ > security/integrity/ima/ima_template.c | 2 -- > security/integrity/ima/ima_template_lib.c | 1 - > 8 files changed, 33 insertions(+), 40 deletions(-) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index 585af61..fb8da36 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -23,6 +23,7 @@ > #include > #include > #include > +#include > > #include "../integrity.h" > > @@ -140,9 +141,7 @@ static inline unsigned long ima_hash_key(u8 *digest) > int ima_get_action(struct inode *inode, int mask, int function); > int ima_must_measure(struct inode *inode, int mask, int function); > int ima_collect_measurement(struct integrity_iint_cache *iint, > - struct file *file, > - struct evm_ima_xattr_data **xattr_value, > - int *xattr_len); > + struct file *file, enum hash_algo algo); > void ima_store_measurement(struct integrity_iint_cache *iint, struct file > *file, >const unsigned char *filename, >struct evm_ima_xattr_data *xattr_value, > @@ -188,8 +187,8 @@ int ima_must_appraise(struct inode *inode, int mask, enum > ima_hooks func); > void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); > enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, >int func); > -void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len, > - struct ima_digest_data *hash); > +enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, > +int xattr_len); > int ima_read_xattr(struct dentry *dentry, >struct evm_ima_xattr_data **xattr_value); > > @@ -221,10 +220,10 @@ static inline enum integrity_status > ima_get_cache_status(struct integrity_iint_c > return INTEGRITY_UNKNOWN; > } > > -static inline void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, > -int xattr_len, > -struct ima_digest_data *hash) > +static inline enum hash_algo > +ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len) > { > + return ima_hash_algo; > } > > static inline int ima_read_xattr(struct dentry *dentry, > diff --git a/security/integrity/ima/ima_api.c > b/security/integrity/ima/ima_api.c > index 1d950fb..e7c7a5d 100644 > --- a/security/integrity/ima/ima_api.c > +++ b/security/integrity/ima/ima_api.c > @@ -18,7 +18,7 @@ > #include > #include > #include > -#include > + > #include "ima.h" > > /* > @@ -188,9 +188,7 @@ int ima_get_action(struct inode *inode, int mask, int > function) > * Return 0 on success, error code otherwise > */ > int ima_collect_measurement(struct integrity_iint_cache *iint, > - struct file *file, > - struct evm_ima_xattr_data **xattr_value, > - int *xattr_len) > + struct file *file, enum hash_algo algo) > { > const char *audit_cause = "failed"; > struct inode *inode = file_inode(file); > @@ -201,9 +199,6 @@ int ima_collect_measurement(struct integrity_iint_cache > *iint, > char digest[IMA_MAX_DIGEST_SIZE]; > } hash; > > - if (xattr_value) > - *xattr_len = ima_read_xattr(file->f_path.dentry, xattr_value); > - > if (!(iint->flags & IMA_COLLECTED)) { > u64 i_version = file_inode(file)->i_version; > > @@ -213,11 +208,7 @@ int ima_collect_measurement(struct integrity_iint_cache > *iint, > goto out; > } > > - /* use default hash algorithm */ > - hash.hdr.algo = ima_hash_algo; > - > - if (xattr_value) > -
[RFC PATCH v2 01/11] ima: separate 'security.ima' reading functionality from collect
From: Dmitry KasatkinInstead of passing pointers to pointers to ima_collect_measurent() to read and return the 'security.ima' xattr value, this patch moves the functionality to the calling process_measurement() to directly read the xattr and pass only the hash algo to the ima_collect_measurement(). Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- security/integrity/ima/ima.h | 15 +++ security/integrity/ima/ima_api.c | 15 +++ security/integrity/ima/ima_appraise.c | 25 ++--- security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 11 +++ security/integrity/ima/ima_template.c | 2 -- security/integrity/ima/ima_template_lib.c | 1 - 8 files changed, 33 insertions(+), 40 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 585af61..fb8da36 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -23,6 +23,7 @@ #include #include #include +#include #include "../integrity.h" @@ -140,9 +141,7 @@ static inline unsigned long ima_hash_key(u8 *digest) int ima_get_action(struct inode *inode, int mask, int function); int ima_must_measure(struct inode *inode, int mask, int function); int ima_collect_measurement(struct integrity_iint_cache *iint, - struct file *file, - struct evm_ima_xattr_data **xattr_value, - int *xattr_len); + struct file *file, enum hash_algo algo); void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, @@ -188,8 +187,8 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, int func); -void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len, - struct ima_digest_data *hash); +enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, +int xattr_len); int ima_read_xattr(struct dentry *dentry, struct evm_ima_xattr_data **xattr_value); @@ -221,10 +220,10 @@ static inline enum integrity_status ima_get_cache_status(struct integrity_iint_c return INTEGRITY_UNKNOWN; } -static inline void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, -int xattr_len, -struct ima_digest_data *hash) +static inline enum hash_algo +ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len) { + return ima_hash_algo; } static inline int ima_read_xattr(struct dentry *dentry, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 1d950fb..e7c7a5d 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -18,7 +18,7 @@ #include #include #include -#include + #include "ima.h" /* @@ -188,9 +188,7 @@ int ima_get_action(struct inode *inode, int mask, int function) * Return 0 on success, error code otherwise */ int ima_collect_measurement(struct integrity_iint_cache *iint, - struct file *file, - struct evm_ima_xattr_data **xattr_value, - int *xattr_len) + struct file *file, enum hash_algo algo) { const char *audit_cause = "failed"; struct inode *inode = file_inode(file); @@ -201,9 +199,6 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, char digest[IMA_MAX_DIGEST_SIZE]; } hash; - if (xattr_value) - *xattr_len = ima_read_xattr(file->f_path.dentry, xattr_value); - if (!(iint->flags & IMA_COLLECTED)) { u64 i_version = file_inode(file)->i_version; @@ -213,11 +208,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, goto out; } - /* use default hash algorithm */ - hash.hdr.algo = ima_hash_algo; - - if (xattr_value) - ima_get_hash_algo(*xattr_value, *xattr_len, ); + hash.hdr.algo = algo; result = ima_calc_file_hash(file, ); if (!result) { diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 1873b55..9c2b46b 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -15,7 +15,6