On Tue, Apr 20, 2021, at 2:30 PM, Stefan Berger wrote:
> + fd = open(filename, O_RDONLY);
Missing O_CLOEXEC.
> +int imaevm_create_ima_signature(const char *filename, EVP_PKEY *pkey,
It'd maximize flexibility for the caller to pass a file descriptor, and not a file name.
> + if (statbuf.st_size > 0) {
> + addr = mmap(NULL, statbuf.st_size, PROT_READ, MAP_SHARED, fd, 0);
> + if (addr == MAP_FAILED) {
> + asprintf(error, "Failed to mmap file: %s", strerror(errno));
> + goto err_close;
> + }
> + }
Tangentially related to this, I think we should consider doing the same optimization here:
https://github.com/ostreedev/ostree/blob/36693f064c63dad550ebcfed33bf9b95806ddef9/src/libotutil/ot-fs-utils.c#L171
Or alternatively, just have the caller provide a (mmap'd or copied-via-read()) buffer?
Though clearly the most flexible is a streaming API. But eh, I am not really concerned about that level of performance.
