Hi Mimi,
On 8/10/21 1:34 AM, Mimi Zohar wrote:
> On Wed, 2021-08-04 at 09:20 +0000, THOBY Simon wrote:
>> +static int validate_hash_algo(struct dentry *dentry,
>> + const struct evm_ima_xattr_data *xattr_value,
>> + size_t xattr_value_len)
>> +{
>> + int result = 0;
>> + char *path = NULL, *pathbuf = NULL;
>> + enum hash_algo xattr_hash_algo;
>> +
>> + xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len);
>> +
>> + if (likely(xattr_hash_algo == ima_hash_algo ||
>> + crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0)))
>> + return result;
>> +
>> + result = -EACCES;
>> +
>> + pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
>> + if (!pathbuf)
>> + return result;
>> +
>> + path = dentry_path(dentry, pathbuf, PATH_MAX);
>> +
>> + integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path,
>> + "collect_data", "unavailable-hash-algorithm",
>> + result, 0);
>
> "collect_data" refers to calculating the file hash,
> ima_collect_measurement(), which may be stored in the measurement list,
> used for verifying the signature and/or included in the audit record.
>
> validate_hash_algo() verifies the hash algorithm before allowing the
> file hash or signature to be written as security.ima. Instead of
> "collect_data" it should be "set_data" or something similar.
I will update that in the next patchset.
>
> thanks,
>
> Mimi
>
>> +
>> + kfree(pathbuf);
>> +
>> + return result;
>
>
Thanks,
Simon
