evm: prevent passing integrity check if xattr read fails

This patch fixes a bug, where evm_verify_hmac() returns INTEGRITY_PASS
if inode->i_op->getxattr() returns an error in evm_find_protected_xattrs.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>

1 files changed, 4 insertions, 3 deletions

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index fb71f55295dc..40220124364c 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -126,14 +126,15 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
         rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
                                 GFP_NOFS);
         if (rc <= 0) {
-                if (rc == 0)
-                        evm_status = INTEGRITY_FAIL; /* empty */
-                else if (rc == -ENODATA) {
+                evm_status = INTEGRITY_FAIL;
+                if (rc == -ENODATA) {
                         rc = evm_find_protected_xattrs(dentry);
                         if (rc > 0)
                                 evm_status = INTEGRITY_NOLABEL;
                         else if (rc == 0)
                                 evm_status = INTEGRITY_NOXATTRS; /* new file */
+                } else if (rc == -EOPNOTSUPP) {
+                        evm_status = INTEGRITY_UNKNOWN;
                 }
                 goto out;
         }