Hey Mimi,
Just a gentle ping on this one.
On Wed, Jan 04, 2023 at 03:41:44AM +0000, Matt Bobrowski wrote:
> Restore the error handling logic so that when file measurement fails,
> the respective iint entry is not left with the digest data being
> populated with zeroes.
>
> Fixes: 54f03916fb89 ("ima: permit fsverity's file digests in the IMA measurement list")
> Signed-off-by: Matt Bobrowski <mattbobrowski@xxxxxxxxxx>
> ---
> security/integrity/ima/ima_api.c | 2 +-
> security/integrity/ima/ima_main.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> index c1e76282b5ee..1e3a7a4f8833 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -292,7 +292,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
> result = ima_calc_file_hash(file, &hash.hdr);
> }
>
> - if (result == -ENOMEM)
> + if (result && result != -EBADF && result != -EINVAL)
> goto out;
>
> length = sizeof(hash.hdr) + hash.hdr.length;
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 377300973e6c..b1ae0f2751f1 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -337,7 +337,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
> hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
>
> rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
> - if (rc == -ENOMEM)
> + if (rc != 0 && rc != -EBADF && rc != -EINVAL)
> goto out_locked;
>
> if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
> --
> 2.39.0.314.g84b9a713c41-goog
/M
