Re: [PATCH 3/3] IMA: add support to measure duplicate buffer for critical data hook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Tushar,

On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote:

> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
> 
> index c096ef8945c7..fbf359495fa8 100644
> --- a/security/integrity/ima/ima_queue.c
> +++ b/security/integrity/ima/ima_queue.c
> @@ -158,7 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr)
>   */
>  int ima_add_template_entry(struct ima_template_entry *entry, int violation,
>  			   const char *op, struct inode *inode,
> -			   const unsigned char *filename)
> +			   const unsigned char *filename, bool allow_dup)
>  {
>  	u8 *digest = entry->digests[ima_hash_algo_idx].digest;
> 
 	struct tpm_digestate_entry(struct ima_template_entry *entry, int violation,
>  
>  	mutex_lock(&ima_extend_list_mutex);
>  	if (!violation) {
> -		if (ima_lookup_digest_entry(digest, entry->pcr)) {
> +		if (!allow_dup &&
> +		    ima_lookup_digest_entry(digest, entry->pcr)) {

Can't this change be simplified to "if (!violation && !allow_dup)"?

Also perhaps instead of passing another variable "allow_dup" to each of
these functions, pass a mask containing violation and allow_dup.

>  			audit_cause = "hash_exists";
>  			result = -EEXIST;
>  			goto out;

thanks,

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux