On Wed, 2021-08-04 at 09:20 +0000, THOBY Simon wrote:
> +static int validate_hash_algo(struct dentry *dentry,
> + const struct evm_ima_xattr_data *xattr_value,
> + size_t xattr_value_len)
> +{
> + int result = 0;
> + char *path = NULL, *pathbuf = NULL;
> + enum hash_algo xattr_hash_algo;
> +
> + xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len);
> +
> + if (likely(xattr_hash_algo == ima_hash_algo ||
> + crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0)))
> + return result;
> +
> + result = -EACCES;
> +
> + pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
> + if (!pathbuf)
> + return result;
> +
> + path = dentry_path(dentry, pathbuf, PATH_MAX);
> +
> + integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path,
> + "collect_data", "unavailable-hash-algorithm",
> + result, 0);
"collect_data" refers to calculating the file hash,
ima_collect_measurement(), which may be stored in the measurement list,
used for verifying the signature and/or included in the audit record.
validate_hash_algo() verifies the hash algorithm before allowing the
file hash or signature to be written as security.ima. Instead of
"collect_data" it should be "set_data" or something similar.
thanks,
Mimi
> +
> + kfree(pathbuf);
> +
> + return result;
