> diff --git a/security/integrity/ima/ima_appraise.c 
> b/security/integrity/ima/ima_appraise.c
> index 87d2b601cf8e..5a244ebc61d9 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -190,6 +190,64 @@ int ima_read_xattr(struct dentry *dentry,
>       return ret;
>  }
> 
> +static void process_xattr_error(int rc, struct integrity_iint_cache *iint,
> +                             int opened, char const **cause,
> +                             enum integrity_status *status)
> +{
> +     if (rc && rc != -ENODATA)
> +             return;
> +
> +     *cause = iint->flags & IMA_DIGSIG_REQUIRED ?
> +             "IMA-signature-required" : "missing-hash";
> +     *status = INTEGRITY_NOLABEL;
> +
> +     if (opened & FILE_CREATED)
> +             iint->flags |= IMA_NEW_FILE;
> +
> +     if ((iint->flags & IMA_NEW_FILE) &&
> +         !(iint->flags & IMA_DIGSIG_REQUIRED))
> +             *status = INTEGRITY_PASS;
> +}
> +
> +static int appraise_modsig(struct integrity_iint_cache *iint,
> +                        struct evm_ima_xattr_data *xattr_value,
> +                        int xattr_len)
> +{
> +     enum hash_algo algo;
> +     const void *digest;
> +     void *buf;
> +     int rc, len;
> +     u8 dig_len;
> +
> +     rc = ima_modsig_verify(INTEGRITY_KEYRING_IMA, xattr_value);
> +     if (rc)
> +             return rc;
> +
> +     /*
> +      * The signature is good. Now let's put the sig hash
> +      * into the iint cache so that it gets stored in the
> +      * measurement list.
> +      */
> +
> +     rc = ima_get_modsig_hash(xattr_value, &algo, &digest, &dig_len);
> +     if (rc)
> +             return rc;
> +
> +     len = sizeof(iint->ima_hash) + dig_len;
> +     buf = krealloc(iint->ima_hash, len, GFP_NOFS);
> +     if (!buf)
> +             return -ENOMEM;
> +
> +     iint->ima_hash = buf;
> +     iint->flags |= IMA_DIGSIG;
> +     iint->ima_hash->algo = algo;
> +     iint->ima_hash->length = dig_len;
> +
> +     memcpy(iint->ima_hash->digest, digest, dig_len);
> +
> +     return 0;
> +}

Depending on the IMA policy, the file could already have been
measured.  That measurement list entry might include the file
signature, as stored in the xattr, in the ima-sig template data.

I think even if a measurement list entry exists, we would want an
additional measurement list entry, which includes the appended
signature in the ima-sig template data.

Mimi

Reply via email to