On Mon, Nov 29, 2021 at 12:00:56PM -0500, Mimi Zohar wrote: > Without the file signature included the IMA measurement list, the type > of file digest is unclear. Limit including fs-verity's file digest in > the IMA measurement list based on whether the template name is ima-sig. > In the future, this could be relaxed to include any template format that > includes the file signature. > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- > security/integrity/ima/ima.h | 3 ++- > security/integrity/ima/ima_api.c | 3 ++- > security/integrity/ima/ima_appraise.c | 3 ++- > security/integrity/ima/ima_main.c | 7 ++++++- > security/integrity/ima/ima_template_lib.c | 3 ++- > 5 files changed, 14 insertions(+), 5 deletions(-) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index be965a8715e4..ab257e404f8e 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -262,7 +262,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, > int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); > int ima_collect_measurement(struct integrity_iint_cache *iint, > struct file *file, void *buf, loff_t size, > - enum hash_algo algo, struct modsig *modsig); > + enum hash_algo algo, struct modsig *modsig, > + bool veritysig); > void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, > const unsigned char *filename, > struct evm_ima_xattr_data *xattr_value, > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c > index 42c6ff7056e6..179c7f0364c2 100644 > --- a/security/integrity/ima/ima_api.c > +++ b/security/integrity/ima/ima_api.c > @@ -217,7 +217,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, > */ > int ima_collect_measurement(struct integrity_iint_cache *iint, > struct file *file, void *buf, loff_t size, > - enum hash_algo algo, struct modsig *modsig) > + enum hash_algo algo, struct modsig *modsig, > + bool veritysig) 'veritysig' is being added here but it doesn't actually do anything. It seems this patchset is not split up correctly. > + rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, > + NULL, FALSE); > if (rc < 0) > return; false should be used instead of FALSE. > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 465865412100..a73e1e845ea8 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -216,6 +216,7 @@ static int process_measurement(struct file *file, const struct cred *cred, > bool violation_check; > enum hash_algo hash_algo; > unsigned int allowed_algos = 0; > + int veritysig = FALSE; Likewise. > + if (xattr_value && xattr_value->type == IMA_VERITY_DIGSIG && > + strcmp(template_desc->name, "ima-sig") == 0) > + veritysig = TRUE; Likewise, true instead of TRUE. - Eric
