Write out HMACs in the NG format rather than the original format.
Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx>
---
security/integrity/evm/evm.h | 2 +-
security/integrity/evm/evm_crypto.c | 10 ++++++----
security/integrity/evm/evm_main.c | 10 ++++++----
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 1d8201b1fb8a..e4de787508f2 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -56,7 +56,7 @@ int evm_init_key(void);
int evm_update_evmxattr(struct dentry *dentry,
const char *req_xattr_name,
const char *req_xattr_value,
- size_t req_xattr_value_len);
+ size_t req_xattr_value_len, u64 flags);
int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
const char *req_xattr_value,
size_t req_xattr_value_len, u64 flags, char *digest);
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 9ce55ac6781e..a00c48c52307 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -259,16 +259,18 @@ int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
* Expects to be called with i_mutex locked.
*/
int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
- const char *xattr_value, size_t xattr_value_len)
+ const char *xattr_value, size_t xattr_value_len,
+ u64 flags)
{
struct inode *inode = d_backing_inode(dentry);
- struct evm_ima_xattr_data xattr_data;
+ struct evm_hmac_ng_data xattr_data;
int rc = 0;
rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
- xattr_value_len, evm_default_flags, xattr_data.digest);
+ xattr_value_len, flags, xattr_data.digest);
if (rc == 0) {
- xattr_data.type = EVM_XATTR_HMAC;
+ xattr_data.hdr.type = EVM_XATTR_HMAC_NG;
+ xattr_data.hdr.flags = cpu_to_be64(flags);
rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM,
&xattr_data,
sizeof(xattr_data), 0);
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 383f003b428e..77eda423824d 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -188,7 +188,8 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
!IS_IMMUTABLE(d_backing_inode(dentry)))
evm_update_evmxattr(dentry, xattr_name,
xattr_value,
- xattr_value_len);
+ xattr_value_len,
+ evm_default_flags);
}
break;
case EVM_XATTR_HMAC_NG:
@@ -427,7 +428,8 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
evm_reset_status(dentry->d_inode);
- evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
+ evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len,
+ evm_default_flags);
}
/**
@@ -447,7 +449,7 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
evm_reset_status(dentry->d_inode);
- evm_update_evmxattr(dentry, xattr_name, NULL, 0);
+ evm_update_evmxattr(dentry, xattr_name, NULL, 0, evm_default_flags);
}
/**
@@ -488,7 +490,7 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
return;
if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
- evm_update_evmxattr(dentry, NULL, NULL, 0);
+ evm_update_evmxattr(dentry, NULL, NULL, 0, evm_default_flags);
}
/*
--
2.14.2.822.g60be5d43e6-goog
