aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-08-15 06:49:22 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-09-08 17:36:10 -0400
commit1f1009791b2e81f106d4809007720495ba3ed90c (patch)
tree83a155c205d0bab7821b2a23ffbe2741c3c19cc4 /security/integrity
parente7d021e28328e0cc47b21cb9c6d8885326b0c2f5 (diff)
evm: prevent passing integrity check if xattr read fails
This patch fixes a bug, where evm_verify_hmac() returns INTEGRITY_PASS if inode->i_op->getxattr() returns an error in evm_find_protected_xattrs. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/evm/evm_main.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index fb71f55295dc..40220124364c 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -126,14 +126,15 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
126 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 126 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
127 GFP_NOFS); 127 GFP_NOFS);
128 if (rc <= 0) { 128 if (rc <= 0) {
129 if (rc == 0) 129 evm_status = INTEGRITY_FAIL;
130 evm_status = INTEGRITY_FAIL; /* empty */ 130 if (rc == -ENODATA) {
131 else if (rc == -ENODATA) {
132 rc = evm_find_protected_xattrs(dentry); 131 rc = evm_find_protected_xattrs(dentry);
133 if (rc > 0) 132 if (rc > 0)
134 evm_status = INTEGRITY_NOLABEL; 133 evm_status = INTEGRITY_NOLABEL;
135 else if (rc == 0) 134 else if (rc == 0)
136 evm_status = INTEGRITY_NOXATTRS; /* new file */ 135 evm_status = INTEGRITY_NOXATTRS; /* new file */
136 } else if (rc == -EOPNOTSUPP) {
137 evm_status = INTEGRITY_UNKNOWN;
137 } 138 }
138 goto out; 139 goto out;
139 } 140 }