diff options
author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-08-15 06:49:22 -0400 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-09-08 17:36:10 -0400 |
commit | 1f1009791b2e81f106d4809007720495ba3ed90c (patch) | |
tree | 83a155c205d0bab7821b2a23ffbe2741c3c19cc4 /security/integrity | |
parent | e7d021e28328e0cc47b21cb9c6d8885326b0c2f5 (diff) |
evm: prevent passing integrity check if xattr read fails
This patch fixes a bug, where evm_verify_hmac() returns INTEGRITY_PASS
if inode->i_op->getxattr() returns an error in evm_find_protected_xattrs.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/evm/evm_main.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index fb71f55295dc..40220124364c 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c | |||
@@ -126,14 +126,15 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, | |||
126 | rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, | 126 | rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, |
127 | GFP_NOFS); | 127 | GFP_NOFS); |
128 | if (rc <= 0) { | 128 | if (rc <= 0) { |
129 | if (rc == 0) | 129 | evm_status = INTEGRITY_FAIL; |
130 | evm_status = INTEGRITY_FAIL; /* empty */ | 130 | if (rc == -ENODATA) { |
131 | else if (rc == -ENODATA) { | ||
132 | rc = evm_find_protected_xattrs(dentry); | 131 | rc = evm_find_protected_xattrs(dentry); |
133 | if (rc > 0) | 132 | if (rc > 0) |
134 | evm_status = INTEGRITY_NOLABEL; | 133 | evm_status = INTEGRITY_NOLABEL; |
135 | else if (rc == 0) | 134 | else if (rc == 0) |
136 | evm_status = INTEGRITY_NOXATTRS; /* new file */ | 135 | evm_status = INTEGRITY_NOXATTRS; /* new file */ |
136 | } else if (rc == -EOPNOTSUPP) { | ||
137 | evm_status = INTEGRITY_UNKNOWN; | ||
137 | } | 138 | } |
138 | goto out; | 139 | goto out; |
139 | } | 140 | } |