fp = fopen(name, "w");
if (!fp) {
- log_err("Unable to open %s for writing\n", name);
+ log_err("Failed to open: %s\n", name);
return -1;
}
err = fwrite(data, len, 1, fp);
len = get_filesize(name);
fp = fopen(name, "r");
if (!fp) {
- log_err("Unable to open %s\n", name);
+ log_err("Failed to open: %s\n", name);
return NULL;
}
data = malloc(len);
sprintf(path, "blkid -s UUID -o value /dev/block/%u:%u", major, minor);
fp = popen(path, "r");
- if (!fp) {
- log_err("popen() failed\n");
- return -1;
- }
+ if (!fp)
+ goto err;
len = fread(_uuid, 1, sizeof(_uuid), fp);
pclose(fp);
- if (len != sizeof(_uuid)) {
- log_err("fread() failed\n");
- return -1;
- }
+ if (len != sizeof(_uuid))
+ goto err;
return pack_uuid(_uuid, uuid);
+err:
+ log_err("Failed to read UUID. Root access might require.\n");
+ return -1;
}
static int calc_evm_hash(const char *file, unsigned char *hash)
int hmac_size;
if (lstat(file, &st)) {
- log_err("lstat() failed\n");
+ log_err("Failed to stat: %s\n", file);
return -1;
}
int fd = open(file, 0);
if (fd < 0) {
- log_err("Unable to open %s\n", file);
+ log_err("Failed to open: %s\n", file);
return -1;
}
if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
/* stay within the same filesystem*/
err = lstat(path, &st);
if (err < 0) {
- log_err("stat() failed\n");
+ log_err("Failed to stat: %s\n", path);
return err;
}
fs_dev = st.st_dev; /* filesystem to start from */
len = lgetxattr(file, "security.evm", sig, sizeof(sig));
if (len < 0) {
- log_err("getxattr failed\n");
+ log_err("getxattr failed: %s\n", file);
return len;
}
if (sig[0] != 0x03) {
- log_err("security.evm has not signature\n");
+ log_err("security.evm has no signature\n");
return -1;
}
if (xattr) {
len = lgetxattr(file, "security.ima", sig, sizeof(sig));
if (len < 0) {
- log_err("getxattr failed\n");
+ log_err("getxattr failed: %s\n", file);
return len;
}
}
key = file2bin(keyfile, NULL, &keylen);
if (!key) {
- log_err("Unable to read a key: %s\n\n", keyfile);
+ log_err("Failed to read a key: %s\n", keyfile);
return -1;
}
if (keylen > sizeof(evmkey)) {
- log_err("key is too long\n");
+ log_err("key is too long: %d\n", keylen);
goto out;
}
memset(evmkey + keylen, 0, sizeof(evmkey) - keylen);
if (lstat(file, &st)) {
- log_err("lstat() failed\n");
+ log_err("Failed to stat: %s\n", file);
goto out;
}
int fd = open(file, 0);
if (fd < 0) {
- log_err("Unable to open %s\n", file);
+ log_err("Failed to open %s\n", file);
goto out;
}
if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
list_size = llistxattr(file, list, sizeof(list));
if (list_size <= 0) {
- log_err("llistxattr() failed\n");
+ log_err("llistxattr() failed: %s\n", file);
goto out;
}
*/
size = llistxattr(path, list, sizeof(buf));
if (size < 0) {
- log_errno("llistxattr() failed: %s\n", path);
+ log_errno("Failed to read xattrs (llistxattr): %s\n", path);
return -1;
}
for (; size > 0; len++, size -= len, list += len) {
fd = open(path, O_RDONLY);
if (fd < 0) {
- log_errno("%s open failed", path);
+ log_errno("Failed to open file: %s", path);
return -1;
}
int err = lstat(path, &st);
if (err < 0) {
- log_err("stat() failed\n");
+ log_err("Failed to stat: %s\n", path);
return err;
}
if (st.st_dev != fs_dev)
dir = opendir(path);
if (!dir) {
- log_err("Unable to open %s\n", path);
+ log_err("Failed to open directory %s\n", path);
return -1;
}
if (fchdir(dirfd(dir))) {
- log_err("Unable to chdir %s\n", path);
+ log_err("Failed to chdir %s\n", path);
return -1;
}
}
if (chdir("..")) {
- log_err("Unable to chdir %s\n", path);
+ log_err("Failed to chdir: %s\n", path);
return -1;
}
fp = fopen(file, "rb");
if (!fp) {
- log_err("Unable to open measurement file\n");
+ log_err("Failed to open measurement file: %s\n", file);
return -1;
}
printf(
"\n"
" -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512\n"
- " -s, --imasig also make IMA signature\n"
- " -d, --imahash also make IMA hash\n"
+ " -s, --imasig make IMA signature\n"
+ " -d, --imahash make IMA hash\n"
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
- " -1, --rsa signing key is in RSA DER format (signing v1)\n"
- " -k, --key path to signing key (default keys are /etc/keys/{privkey,pubkey}_evm.pem)\n"
+ " --rsa use RSA key type and signing scheme v1\n"
+ " -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
" -p, --pass password for encrypted signing key\n"
- " -u, --uuid use file system UUID in HMAC calculation (EVM v2)\n"
- " -t, --type file types to fix 'fdsxm' (f - file, d - directory, s - block/char/symlink)\n"
- " x - skip fixing if both ima and evm xattrs exist (caution: they may be wrong)\n"
+ " -r, --recursive recurse into directories (sign)\n"
+ " -t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)\n"
+ " x - skip fixing if both ima and evm xattrs exist (use with caution)\n"
" m - stay on the same filesystem (like 'find -xdev')\n"
" -n print result to stdout instead of setting xattr\n"
- " -r, --recursive recurse into directories (sign)\n"
- " --m32 force signature for 32 bit target system\n"
- " --m64 force signature for 32 bit target system\n"
+ " -u, --uuid use custom FS UUID for EVM (unspecified: from FS, empty: do not use)\n"
+ " --m32 force EVM hmac/signature for 32 bit target system\n"
+ " --m64 force EVM hmac/signature for 64 bit target system\n"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
"\n");