On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote: > With the introduction of another IMA signature type (modsig), some places > will need to check for both of them. It is cleaner to do that if there's a > helper function to tell whether an xattr_value represents an IMA > signature. Initially the function name "is_ima_sig" is fine, since it reflects the 'imasig' type. Having a more generic function name would be better when adding 'modsig' support. As long as the function is locally define, we can drop 'ima' from the name. Perhaps something like has_signature or is_signed() would be preferable. Mimi > > Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> > Signed-off-by: Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxxxxxxx> > --- > security/integrity/ima/ima.h | 5 +++++ > security/integrity/ima/ima_appraise.c | 7 +++---- > security/integrity/ima/ima_template_lib.c | 2 +- > 3 files changed, 9 insertions(+), 5 deletions(-) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index 35fe91aa1fc9..4bafa6a97967 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -155,6 +155,11 @@ unsigned long ima_get_binary_runtime_size(void); > int ima_init_template(void); > void ima_init_template_list(void); > > +static inline bool is_ima_sig(const struct evm_ima_xattr_data *xattr_value) > +{ > + return xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG; > +} > + > /* > * used to protect h_table and sha_table > */ > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > index a6b2995b7d0b..01172eab297b 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -325,15 +325,14 @@ int ima_appraise_measurement(enum ima_hooks func, > } else if (status != INTEGRITY_PASS) { > /* Fix mode, but don't replace file signatures. */ > if ((ima_appraise & IMA_APPRAISE_FIX) && > - (!xattr_value || > - xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { > + !is_ima_sig(xattr_value)) { > if (!ima_fix_xattr(dentry, iint)) > status = INTEGRITY_PASS; > } > > /* Permit new files with file signatures, but without data. */ > if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && > - xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) { > + is_ima_sig(xattr_value)) { > status = INTEGRITY_PASS; > } > > @@ -448,7 +447,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, > if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) > return -EINVAL; > ima_reset_appraise_flags(d_backing_inode(dentry), > - xvalue->type == EVM_IMA_XATTR_DIGSIG); > + is_ima_sig(xvalue)); > result = 0; > } > return result; > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > index 5afaa53decc5..afb52a90e532 100644 > --- a/security/integrity/ima/ima_template_lib.c > +++ b/security/integrity/ima/ima_template_lib.c > @@ -380,7 +380,7 @@ int ima_eventsig_init(struct ima_event_data *event_data, > { > struct evm_ima_xattr_data *xattr_value = event_data->xattr_value; > > - if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG)) > + if (!is_ima_sig(xattr_value)) > return 0; > > return ima_write_template_field_data(xattr_value, event_data->xattr_len, >